Third-party applications¶
(new in 0.7.0)
FitTrackee provides a REST API (see documentation) whose most endpoints require authorization/authentication.
To allow a third-party application to interact with API endpoints, an OAuth2 client can be created in user settings (‘apps’ tab).
Warning
OAuth2 endpoints requiring authentication are not accessible by third-party applications (documentation), only by FitTrackee client (first-party application).
FitTrackee supports only Authorization Code flow (with PKCE support). It allows to exchange an authorization code for an access token. The client ID and secret must be sent in the POST body. It is recommended to use PKCE to provide a better security.
The following scopes are available:
application:write
: grants write access to application configuration (only for users with administration rights),profile:read
: grants read access to auth endpoints,profile:write
: grants write access to auth endpoints,users:read
: grants read access to users endpoints,users:write
: grants write access to users endpoints,workouts:read
: grants read access to workouts-related endpoints,workouts:write
: grants write access to workouts-related endpoints.
Note
OAuth2 support is implemented with Authlib library.
Warning
X-Forwarded-Proto
header must be set.proxy_set_header X-Forwarded-Proto $scheme;
Some resources about OAuth 2.0:
Web App Example of OAuth 2 web application flow with Requests-OAuthlib (python)
OAuth 2 Session with Authlib (python)
Minimal example of an application interacting with FitTrackee (python)