Third-party applications

(new in 0.7.0)

FitTrackee provides a REST API (see documentation) whose most endpoints require authorization/authentication.

To allow a third-party application to interact with API endpoints, an OAuth2 client can be created in user settings (‘apps’ tab).

Warning

OAuth2 endpoints requiring authentication are not accessible by third-party applications (documentation), only by FitTrackee client (first-party application).

FitTrackee supports only Authorization Code flow (with PKCE support). It allows to exchange an authorization code for an access token. The client ID and secret must be sent in the POST body. It is recommended to use PKCE to provide a better security.

The following scopes are available:

• application:write: grants write access to application configuration (only for users with administration rights),

• profile:read: grants read access to auth endpoints,

• profile:write: grants write access to auth endpoints,

• users:read: grants read access to users endpoints,

• users:write: grants write access to users endpoints,

• workouts:read: grants read access to workouts-related endpoints,

• workouts:write: grants write access to workouts-related endpoints.

Note

OAuth2 support is implemented with Authlib library.

Warning

If FitTrackee is running behind a proxy, the X-Forwarded-Proto header must be set.

For instance for nginx:

proxy_set_header  X-Forwarded-Proto $scheme;

Some resources about OAuth 2.0:

• OAuth 2.0 Simplified by Aaron Parecki

• Web App Example of OAuth 2 web application flow with Requests-OAuthlib (python)

• OAuth 2 Session with Authlib (python)

• Minimal example of an application interacting with FitTrackee (python)