To integrate the Fitbit API with V0 by Vercel, generate a health dashboard UI with V0, implement OAuth2 authorization code flow in Next.js API routes to authenticate users with their Fitbit accounts, fetch activity, sleep, and heart rate data server-side, and deploy on Vercel. Users log in with Fitbit and see their personal health metrics in your custom dashboard.
Build Personal Health Dashboards with Fitbit API and V0
Fitbit tracks millions of health data points — daily steps, calories burned, sleep stages, resting heart rate, activity minutes, and more. The Fitbit Web API makes this data available to authorized applications, enabling developers to build custom health dashboards, research tools, coaching apps, and wellness platforms that display users' own Fitbit data in tailored interfaces. V0 can generate sophisticated health dashboard UIs in minutes; the integration work involves implementing Fitbit's OAuth2 flow so users can authorize your app to access their data.
Fitbit uses the standard OAuth2 authorization code flow: your app redirects users to Fitbit's authorization page, the user grants permission, Fitbit redirects back to your callback URL with an authorization code, and your API route exchanges that code for access and refresh tokens. This is more complex than API key auth but necessary because Fitbit data is personal — the user must explicitly authorize each application to access their health information. Access tokens expire after 8 hours, so your app needs to use refresh tokens to maintain access without requiring re-authorization.
The Fitbit API has a generous free tier with no cost for standard health data access. Rate limits are 150 API calls per hour per user for most endpoints. Fitbit's Intraday data (minute-by-minute resolution) requires applying for permission from Fitbit due to its granularity. For standard dashboards showing daily summaries, step counts, and sleep, the default permissions are sufficient.
Integration method
The Fitbit Web API uses OAuth2 authorization code flow, which requires Next.js API routes to handle the authorization redirect, code exchange for access tokens, token storage, and subsequent authenticated API calls. Users authorize your app to access their Fitbit data, and your API routes fetch that data server-side. Access tokens expire after 8 hours and require refresh tokens to renew without re-authorization. All credentials and tokens are stored server-side and never exposed to the browser.
Prerequisites
- A Fitbit developer account — register at dev.fitbit.com and create a new application to get your client ID and secret
- Your Fitbit application's client ID and client secret from the developer portal
- The callback URL registered in your Fitbit app — must match exactly: https://your-app.vercel.app/api/fitbit/callback
- A V0 account at v0.dev to generate the health dashboard UI
- A Vercel account with your app deployed — you need a stable HTTPS URL for the OAuth callback before testing the full flow
Step-by-step guide
Register a Fitbit App and Generate the Dashboard UI with V0
Register a Fitbit App and Generate the Dashboard UI with V0
Before generating the UI, register your application at dev.fitbit.com. Create a new app, set the application type to 'Personal' for personal use or 'Server' for multi-user apps, and add your callback URL as https://your-vercel-url.vercel.app/api/fitbit/callback. You can use a placeholder URL initially and update it after your first Vercel deployment. Fitbit will give you a client ID and client secret — copy these for later. Then open V0 at v0.dev and generate your health dashboard. Describe the metrics you want to display: step counts, sleep data, heart rate, calories. V0 works well with health dashboard patterns — ring charts for goal progress, timeline charts for sleep stages, trend lines for weekly data. The key design decision is how to handle the pre-authorization state: the dashboard needs a 'Connect Fitbit Account' CTA for first-time users and the full metrics view for returning users. V0 can generate both states if you describe them. Push to GitHub using V0's Git panel.
Create a fitness dashboard with two states: 1) Pre-connection: a centered card showing a Fitbit logo placeholder, headline 'Connect your Fitbit', subtext about what metrics will show, and a 'Connect with Fitbit' button linking to /api/fitbit/auth. 2) Connected state: four metric cards (Today's Steps with progress toward goal, Calories Burned, Active Minutes, Last Night's Sleep), a 7-day step trend bar chart, and a sleep stages donut chart. Add a 'Disconnect' button in the corner. Data from /api/fitbit/today. Use a clean fitness app design with teal and green.
Paste this in V0 chat
Pro tip: Register your Fitbit app with the 'Personal' type initially for easier testing. Personal type apps don't require Fitbit review. If you're building a multi-user app, switch to the 'Server' type later — Server type requires more configuration but supports multiple user accounts.
Expected result: A Fitbit developer app is registered with your callback URL, and a V0-generated health dashboard renders in preview with both the pre-connection CTA state and the connected metrics view using mock data.
Implement the Fitbit OAuth2 Authorization Flow
Implement the Fitbit OAuth2 Authorization Flow
Create two API routes to handle Fitbit's OAuth2 authorization code flow. The first route (/api/fitbit/auth) builds the Fitbit authorization URL and redirects the user to Fitbit's login page. The authorization URL requires your client ID, a redirect URI (your callback URL), response_type=code, and a scope string specifying which data you want access to. Fitbit scopes include activity, sleep, heartrate, nutrition, profile, settings, and location. Request only the scopes you actually display — users see exactly what you're requesting and fewer scopes builds more trust. The second route (/api/fitbit/callback) handles Fitbit's redirect back to your app after the user authorizes. It receives a code query parameter, exchanges it for tokens using a POST request to Fitbit's token endpoint, and stores the tokens securely. Token storage is the architectural decision point: for a single-user personal app, storing in an encrypted cookie or a session is fine. For a multi-user app, store tokens in a database keyed by user ID. The access token expires after 8 hours; the refresh token is valid indefinitely until used or revoked. Include the refresh token workflow so your app doesn't require users to re-authorize daily.
1// app/api/fitbit/auth/route.ts2import { NextResponse } from 'next/server';34export async function GET() {5 const clientId = process.env.FITBIT_CLIENT_ID!;6 const redirectUri = `${process.env.NEXT_PUBLIC_APP_URL}/api/fitbit/callback`;7 const scope = 'activity sleep heartrate profile';89 const params = new URLSearchParams({10 response_type: 'code',11 client_id: clientId,12 redirect_uri: redirectUri,13 scope,14 expires_in: '604800', // 7 days15 });1617 return NextResponse.redirect(18 `https://www.fitbit.com/oauth2/authorize?${params.toString()}`19 );20}2122// app/api/fitbit/callback/route.ts23import { NextRequest, NextResponse } from 'next/server';24import { cookies } from 'next/headers';2526export async function GET(request: NextRequest) {27 const { searchParams } = new URL(request.url);28 const code = searchParams.get('code');29 const error = searchParams.get('error');3031 if (error || !code) {32 return NextResponse.redirect(33 `${process.env.NEXT_PUBLIC_APP_URL}/?error=fitbit_auth_failed`34 );35 }3637 const clientId = process.env.FITBIT_CLIENT_ID!;38 const clientSecret = process.env.FITBIT_CLIENT_SECRET!;39 const redirectUri = `${process.env.NEXT_PUBLIC_APP_URL}/api/fitbit/callback`;4041 const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');4243 try {44 const tokenRes = await fetch('https://api.fitbit.com/oauth2/token', {45 method: 'POST',46 headers: {47 'Authorization': `Basic ${credentials}`,48 'Content-Type': 'application/x-www-form-urlencoded',49 },50 body: new URLSearchParams({51 code,52 grant_type: 'authorization_code',53 redirect_uri: redirectUri,54 }).toString(),55 });5657 if (!tokenRes.ok) {58 throw new Error(`Token exchange failed: ${tokenRes.status}`);59 }6061 const tokens = await tokenRes.json();6263 // Store tokens in cookies (for single-user app)64 // For multi-user: store in database keyed by authenticated user ID65 const cookieStore = await cookies();66 cookieStore.set('fitbit_access_token', tokens.access_token, {67 httpOnly: true,68 secure: true,69 maxAge: tokens.expires_in,70 sameSite: 'lax',71 });72 cookieStore.set('fitbit_refresh_token', tokens.refresh_token, {73 httpOnly: true,74 secure: true,75 maxAge: 60 * 60 * 24 * 30, // 30 days76 sameSite: 'lax',77 });7879 return NextResponse.redirect(`${process.env.NEXT_PUBLIC_APP_URL}/dashboard`);80 } catch (err) {81 console.error('Fitbit OAuth error:', err);82 return NextResponse.redirect(83 `${process.env.NEXT_PUBLIC_APP_URL}/?error=token_exchange_failed`84 );85 }86}Pro tip: For a multi-user coaching platform, replace cookie storage with database storage. Store access_token, refresh_token, and token expiry timestamp in your database linked to the user's account. Use Supabase or Neon (both available as Vercel Marketplace integrations) for this.
Expected result: Visiting /api/fitbit/auth redirects to Fitbit's login page. After authorizing, Fitbit redirects back to /api/fitbit/callback, which stores tokens in cookies and redirects to the dashboard.
Create the Fitbit Data API Routes with Token Refresh
Create the Fitbit Data API Routes with Token Refresh
Create the API routes that fetch real Fitbit data using the stored OAuth tokens. These routes read the access token from cookies, call Fitbit's API endpoints, and handle token expiry. The Fitbit Web API base URL is https://api.fitbit.com/1/user/-/. The dash (-) represents the authorized user. Key endpoints include: /activities/date/{date}.json for daily activity summary, /sleep/date/{date}.json for sleep data, /activities/heart/date/{date}/1d.json for heart rate. Create a shared getFitbitData helper that reads the token from cookies, makes the API call, and handles 401 responses by attempting a token refresh. The token refresh flow calls https://api.fitbit.com/oauth2/token with grant_type=refresh_token and the stored refresh token — using the same Basic Auth header with your client credentials. If refresh also fails (refresh token expired or revoked), clear the stored tokens and return a response indicating the user needs to re-authorize. This token refresh handling prevents users from needing to reconnect their Fitbit daily.
1// app/api/fitbit/today/route.ts2import { NextRequest, NextResponse } from 'next/server';3import { cookies } from 'next/headers';45async function refreshFitbitToken(refreshToken: string): Promise<string | null> {6 const credentials = Buffer.from(7 `${process.env.FITBIT_CLIENT_ID}:${process.env.FITBIT_CLIENT_SECRET}`8 ).toString('base64');910 const res = await fetch('https://api.fitbit.com/oauth2/token', {11 method: 'POST',12 headers: {13 Authorization: `Basic ${credentials}`,14 'Content-Type': 'application/x-www-form-urlencoded',15 },16 body: new URLSearchParams({17 grant_type: 'refresh_token',18 refresh_token: refreshToken,19 }).toString(),20 });2122 if (!res.ok) return null;2324 const data = await res.json();25 const cookieStore = await cookies();26 cookieStore.set('fitbit_access_token', data.access_token, {27 httpOnly: true, secure: true, maxAge: data.expires_in, sameSite: 'lax',28 });29 cookieStore.set('fitbit_refresh_token', data.refresh_token, {30 httpOnly: true, secure: true, maxAge: 60 * 60 * 24 * 30, sameSite: 'lax',31 });32 return data.access_token;33}3435async function fitbitGet(path: string, accessToken: string): Promise<Response> {36 return fetch(`https://api.fitbit.com${path}`, {37 headers: { Authorization: `Bearer ${accessToken}` },38 cache: 'no-store',39 });40}4142export async function GET(request: NextRequest) {43 const cookieStore = await cookies();44 let accessToken = cookieStore.get('fitbit_access_token')?.value;45 const refreshToken = cookieStore.get('fitbit_refresh_token')?.value;4647 if (!accessToken && !refreshToken) {48 return NextResponse.json({ error: 'Not authenticated', needsAuth: true }, { status: 401 });49 }5051 const today = new Date().toISOString().split('T')[0];5253 // Try fetching with current token; refresh if expired54 let activityRes = accessToken55 ? await fitbitGet(`/1/user/-/activities/date/${today}.json`, accessToken)56 : null;5758 if ((!activityRes || activityRes.status === 401) && refreshToken) {59 accessToken = await refreshFitbitToken(refreshToken);60 if (!accessToken) {61 return NextResponse.json({ error: 'Session expired, please reconnect Fitbit', needsAuth: true }, { status: 401 });62 }63 activityRes = await fitbitGet(`/1/user/-/activities/date/${today}.json`, accessToken);64 }6566 if (!activityRes || !activityRes.ok) {67 return NextResponse.json({ error: 'Failed to fetch Fitbit data' }, { status: 500 });68 }6970 const [activityData, sleepRes, heartRes] = await Promise.all([71 activityRes.json(),72 fitbitGet(`/1.2/user/-/sleep/date/${today}.json`, accessToken),73 fitbitGet(`/1/user/-/activities/heart/date/${today}/1d.json`, accessToken),74 ]);7576 const sleepData = sleepRes.ok ? await sleepRes.json() : null;77 const heartData = heartRes.ok ? await heartRes.json() : null;7879 const summary = activityData.summary || {};80 const mainSleep = sleepData?.sleep?.[0];8182 return NextResponse.json({83 date: today,84 activity: {85 steps: summary.steps || 0,86 caloriesOut: summary.caloriesOut || 0,87 activeMinutes: (summary.veryActiveMinutes || 0) + (summary.fairlyActiveMinutes || 0),88 distance: summary.distances?.find((d: { activity: string }) => d.activity === 'total')?.distance || 0,89 },90 sleep: mainSleep ? {91 totalMinutes: mainSleep.minutesAsleep,92 efficiency: mainSleep.efficiency,93 deepMinutes: mainSleep.levels?.summary?.deep?.minutes || 0,94 remMinutes: mainSleep.levels?.summary?.rem?.minutes || 0,95 lightMinutes: mainSleep.levels?.summary?.light?.minutes || 0,96 } : null,97 heartRate: {98 restingHeartRate: heartData?.['activities-heart']?.[0]?.value?.restingHeartRate || null,99 },100 });101}Pro tip: Fitbit's sleep API recently changed — use the /1.2/ version of the sleep endpoint (not /1/) for accurate sleep stage data. The /1/ endpoint exists but returns less detailed stage information.
Expected result: GET /api/fitbit/today returns today's step count, calories, active minutes, sleep data, and resting heart rate for the authorized user. If the token is expired, it automatically refreshes before fetching.
Configure Fitbit Credentials in Vercel and Deploy
Configure Fitbit Credentials in Vercel and Deploy
Push your project to GitHub, then configure credentials in Vercel. Open the Vercel Dashboard → Settings → Environment Variables. Add FITBIT_CLIENT_ID (the OAuth 2.0 Client ID from your Fitbit app's developer portal page), FITBIT_CLIENT_SECRET (the Client Secret from the same page — treat this as a password, never expose it), and NEXT_PUBLIC_APP_URL (your deployed Vercel URL, e.g., https://your-app.vercel.app — this is safe to expose since it's just your domain). The FITBIT_CLIENT_ID and FITBIT_CLIENT_SECRET must not have NEXT_PUBLIC_ prefix. After deploying, return to the Fitbit Developer Portal and update your app's OAuth 2.0 Callback URL to your actual Vercel deployment URL: https://your-app.vercel.app/api/fitbit/callback. This must match exactly — including the https scheme and no trailing slash. With credentials set and the callback URL updated, test the full OAuth flow by visiting your deployed app and clicking 'Connect with Fitbit'. After authorizing, you should be redirected back to your dashboard with real Fitbit data loading. RapidDev's team can assist if you're building a multi-user coaching platform that needs a database-backed token storage system rather than the cookie approach used here.
Pro tip: For development testing, you can use Fitbit's API Explorer at dev.fitbit.com/build/reference/web-api/explore/ to manually call API endpoints with your own OAuth token and see the exact response shapes before writing your transformation code.
Expected result: The full Fitbit OAuth flow works in your deployed Vercel app. Users click 'Connect with Fitbit', authorize the app, and return to a dashboard showing their real health metrics. Tokens refresh automatically without requiring daily re-authorization.
Common use cases
Personal Health Dashboard
A personal dashboard where users log in with their Fitbit account and see today's activity summary alongside historical trends. Shows step count progress toward daily goal, calories burned, active minutes, sleep duration from last night, and resting heart rate.
Create a personal health dashboard with a 'Connect Fitbit' button at the top that links to /api/fitbit/auth. Once connected, show: a step counter card with progress bar toward 10,000 step goal, a calories burned card, an active minutes card, a sleep summary showing total sleep and sleep stages (Light/Deep/REM) from last night as a pie chart, and resting heart rate. Data from /api/fitbit/today. Use a clean health app aesthetic with green accents.
Copy this prompt to try it in V0
7-Day Activity Trend Report
A weekly health report that shows the user's activity data over the past 7 days with trend charts for steps, calories, and sleep. Highlights best and worst days, calculates weekly averages, and shows progress toward weekly activity goals.
Build a weekly health report with a bar chart of daily steps over 7 days (highlight the best day in green), a line chart of sleep hours per night, a calories burned trend, and weekly average cards for steps/sleep/calories. Include a 'streak' indicator showing consecutive active days. Fetch data from /api/fitbit/weekly. Modern minimal health tracker design.
Copy this prompt to try it in V0
Coaching Platform Integration
A wellness coaching platform where clients connect their Fitbit accounts and coaches see their activity data in a multi-client dashboard. Each client's daily step count, sleep quality score, and activity level is displayed alongside coaching notes.
Design a coaching dashboard showing a list of connected clients with their latest Fitbit metrics: today's steps vs goal, last night's sleep score (0-100), heart rate zone minutes, and a colored status indicator (green/yellow/red based on goal completion). Clicking a client shows their detailed weekly trends. Data from /api/fitbit/client/{id}. Clean table-based layout with expandable rows.
Copy this prompt to try it in V0
Troubleshooting
OAuth callback returns 'redirect_uri_mismatch' error from Fitbit
Cause: The redirect URI in your auth request doesn't exactly match the Callback URL registered in the Fitbit Developer Portal. Fitbit is strict about exact URL matching — even a trailing slash difference causes this error.
Solution: Go to dev.fitbit.com → your app → OAuth 2.0 Application Type. Copy the exact URL from your NEXT_PUBLIC_APP_URL/api/fitbit/callback and paste it as the Callback URL. Include https://, no trailing slash. Ensure NEXT_PUBLIC_APP_URL in Vercel matches your actual deployment URL exactly.
Fitbit API returns 401 after token refresh — user has to reconnect repeatedly
Cause: Fitbit's refresh tokens are single-use — once you use a refresh token to get a new access token, Fitbit also sends a new refresh token. If you don't store the new refresh token, the next refresh attempt fails because the old token is invalidated.
Solution: Always update both the access_token and refresh_token cookies/database records when a token refresh succeeds. The refreshFitbitToken function must store data.refresh_token (the new one) along with data.access_token.
1// In refreshFitbitToken, store BOTH tokens:2cookieStore.set('fitbit_access_token', data.access_token, { ... });3cookieStore.set('fitbit_refresh_token', data.refresh_token, { ... }); // NEW refresh tokenSleep data returns null or empty sleep array for some users
Cause: The user hasn't worn their Fitbit device during sleep, hasn't synced their device, or the sleep date is today before the user has gone to sleep. Fitbit only records sleep when the device detects sleep patterns.
Solution: Handle null sleep data gracefully in your UI with a message like 'No sleep data recorded for this date'. Check yesterday's date (not today) for sleep data when showing morning dashboards — Fitbit's sleep record for a night usually falls under the date the user woke up.
1// Use yesterday's date for sleep (more likely to have data than today):2const yesterday = new Date();3yesterday.setDate(yesterday.getDate() - 1);4const sleepDate = yesterday.toISOString().split('T')[0];Cookies are not being set in the callback route after token exchange
Cause: In Next.js App Router, the cookies() function from 'next/headers' requires being called in a Server Component or Route Handler context. If the callback is redirecting via NextResponse.redirect() immediately after setting cookies, the cookie storage might not be committed before the redirect.
Solution: Ensure you're using await cookies() from 'next/headers' (not the request cookies object). Create the NextResponse object for the redirect, set cookies on it directly using response.cookies.set(), and then return the response.
1// Set cookies on the redirect response directly:2const response = NextResponse.redirect(`${process.env.NEXT_PUBLIC_APP_URL}/dashboard`);3response.cookies.set('fitbit_access_token', tokens.access_token, { httpOnly: true, secure: true });4response.cookies.set('fitbit_refresh_token', tokens.refresh_token, { httpOnly: true, secure: true });5return response;Best practices
- Store Fitbit OAuth tokens in httpOnly, Secure cookies (or server-side database) — never in localStorage or regular cookies accessible to JavaScript
- Always update both access_token and refresh_token when performing a token refresh — Fitbit invalidates used refresh tokens and sends new ones
- Request only the Fitbit permission scopes your dashboard actually displays — requesting fewer scopes builds user trust and reduces authorization friction
- Use /1.2/ version of the sleep API endpoint for accurate sleep stage breakdown data (deep, REM, light) — the /1/ version returns less detailed sleep information
- Handle the case where users haven't worn their device or synced recently — show empty states rather than errors for missing data
- For multi-user apps, store tokens in a database rather than cookies, encrypted at rest, with the user's ID as the lookup key
- Test token refresh logic before launch by manually expiring tokens in your test database and verifying the dashboard still works without requiring re-authorization
Alternatives
Frequently asked questions
Does the Fitbit API require users to have a paid Fitbit Premium subscription?
No. The Fitbit API is available to all Fitbit device users regardless of Premium subscription status. Premium subscribers have access to additional app features and insights within Fitbit's own apps, but the API endpoints for activity, sleep, and heart rate data work for all device owners. Some intraday (minute-by-minute) data endpoints require a separate API access application to Fitbit.
Can I access heart rate zone data from the Fitbit API?
Yes. The /activities/heart/date/{date}/1d.json endpoint returns heart rate zone data including minutes spent in Fat Burn, Cardio, and Peak zones as well as the resting heart rate. Heart rate data requires the 'heartrate' scope to be requested in your OAuth authorization. Continuous heart rate tracking requires a Fitbit device that supports heart rate monitoring (most modern Fitbit devices do).
What is the Fitbit API rate limit?
The Fitbit API allows 150 API calls per user per hour for most endpoints. This is per-user, not per-application, so a coaching platform with 1,000 users effectively has 150,000 calls per hour total (150 per user). Dashboard calls that fetch multiple data types (activity + sleep + heart rate) in parallel count as 3 separate calls. With typical dashboard usage patterns, most apps stay well under this limit.
How do I get access to Fitbit's Intraday (minute-by-minute) data?
Fitbit requires a separate API application to access Intraday data — you must submit a request through the Fitbit developer portal explaining your use case. Intraday data provides minute-by-minute step counts, heart rate, and activity data, which is useful for detailed athletic analysis. Standard daily summary data doesn't require this application process.
Will this Fitbit integration still work after Google acquired Fitbit?
The Fitbit Web API continues to function as of 2026, though Google has been integrating Fitbit data more deeply with Google Health. Fitbit's developer platform at dev.fitbit.com remains active and the OAuth2 API described in this guide is the current standard. Monitor Fitbit's developer blog for any deprecation announcements as Google continues integration work.
Can I display Fitbit data alongside sleep data from Apple Health or Google Fit?
Yes, but each platform has its own separate OAuth flow and API. Apple HealthKit requires iOS-native code (not available in a Next.js web app), while Google Fit has its own REST API with Google OAuth2. For a cross-platform health dashboard, you'd implement separate OAuth flows for each platform and merge the data server-side in your API routes.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation