How do I install Fitbit?

Fitbit is a local plugin. Install it using npm package: fitbit-mcp-unofficial and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Fitbit need?

Fitbit requires the following credentials or environment variables: FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_REDIRECT_URI, FITBIT_TOKEN_PATH, FITBIT_PRIVACY_MODE, FITBIT_CACHE, FITBIT_CACHE_PATH. You can find setup instructions on the server detail page.

What AI apps work with Fitbit?

Fitbit uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Fitbit MCP Server

by davidmosiah

Developer ToolsUse Caution4.8LocalNew

Free

Privacy-first, unofficial Fitbit MCP server for AI health, sleep, activity and heart-rate agents.

About

Privacy-first, unofficial Fitbit MCP server for AI health, sleep, activity and heart-rate agents.

Security Report

4.8

Use Caution4.8High Risk

This is a well-structured Fitbit OAuth MCP server with proper authentication via OAuth 2.0, secure local token storage, and appropriate permissions scoping. The code demonstrates good security practices including input validation with Zod schemas, no hardcoded credentials, and privacy-aware data handling. Minor code quality issues and broad exception handling do not significantly impact the security posture. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.

5 files analyzed · 8 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

env_vars

Check that this permission is expected for this type of plugin.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

File System Write

Writes or modifies files on your machine. Check that this is expected for the tool.

HTTP Network Access

Connects to external APIs or services over the internet.

file_system

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

Fitbit OAuth client ID. Optional when configured with fitbit-mcp-server setup.Optional

Environment variable: FITBIT_CLIENT_ID

Fitbit OAuth client secret. Prefer fitbit-mcp-server setup so this secret is stored in ~/.fitbit-mcp/config.json instead of MCP client config.Required

Environment variable: FITBIT_CLIENT_SECRET

Redirect URI configured in the Fitbit Developer Dashboard. Optional when configured with fitbit-mcp-server setup.Optional

Environment variable: FITBIT_REDIRECT_URI

Optional local path for OAuth tokens. Defaults to ~/.fitbit-mcp/tokens.json.Optional

Environment variable: FITBIT_TOKEN_PATH

Optional payload mode: summary, structured, or raw. Defaults to structured. raw means full Fitbit API payloads, not continuous 24/7 raw sensor telemetry.Optional

Environment variable: FITBIT_PRIVACY_MODE

Optional SQLite cache toggle. Set to true or sqlite to enable.Optional

Environment variable: FITBIT_CACHE

Optional local SQLite cache path. Defaults to ~/.fitbit-mcp/cache.sqlite.Optional

Environment variable: FITBIT_CACHE_PATH

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-davidmosiah-fitbitmcp": {
      "env": {
        "FITBIT_CACHE": "your-fitbit-cache-here",
        "FITBIT_CLIENT_ID": "your-fitbit-client-id-here",
        "FITBIT_CACHE_PATH": "your-fitbit-cache-path-here",
        "FITBIT_TOKEN_PATH": "your-fitbit-token-path-here",
        "FITBIT_PRIVACY_MODE": "your-fitbit-privacy-mode-here",
        "FITBIT_REDIRECT_URI": "your-fitbit-redirect-uri-here",
        "FITBIT_CLIENT_SECRET": "your-fitbit-client-secret-here"
      },
      "args": [
        "-y",
        "fitbit-mcp-unofficial"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

Fitbit MCP Unofficial

Unofficial, local-first Model Context Protocol server for connecting AI agents to user-authorized Fitbit data through the official Fitbit Web API.

It is designed for Claude, Cursor, Windsurf, Hermes, OpenClaw and other MCP clients that need safe access to activity, sleep, heart-rate, HRV, weight and nutrition context.

Not affiliated with, endorsed by, or sponsored by Fitbit or Google. Not medical advice.

What It Supports

OAuth 2.0 authorization code flow with local token storage.
Activity summaries and activity logs.
Sleep logs and sleep-stage summaries when Fitbit provides them.
Daily heart-rate zones and resting heart rate.
Intraday heart-rate samples when the Fitbit app/API access permits it.
HRV, SpO2 and breathing-rate endpoints when available for the account/device.
Weight, food and water logs.
Daily and weekly agent-ready summaries.
Privacy modes: summary, structured, raw.
Hermes-focused agent manifest and setup diagnostics.

Quick Start

Create a Fitbit app at dev.fitbit.com/apps and set the callback URL to:

http://127.0.0.1:3000/callback

Claude / Cursor / Generic MCP Config

{
  "mcpServers": {
    "fitbit": {
      "command": "npx",
      "args": ["-y", "fitbit-mcp-unofficial"]
    }
  }
}

Hermes

npx -y fitbit-mcp-unofficial setup --client hermes --no-auth
npx -y fitbit-mcp-unofficial doctor --client hermes

After config changes, reload MCP with /reload-mcp or hermes mcp test fitbit. A normal Fitbit data-access issue should not require restarting the Hermes gateway.

Tools

Core setup and safety:

fitbit_agent_manifest
fitbit_capabilities
fitbit_connection_status
fitbit_get_auth_url
fitbit_exchange_code
fitbit_privacy_audit
fitbit_cache_status
fitbit_revoke_access

Data tools:

fitbit_get_profile
fitbit_list_devices
fitbit_get_activity_day
fitbit_list_activities
fitbit_get_activity
fitbit_get_sleep_day
fitbit_list_sleep
fitbit_get_heart_day
fitbit_get_heart_intraday
fitbit_get_hrv_day
fitbit_get_spo2_day
fitbit_get_breathing_rate_day
fitbit_get_weight_day
fitbit_get_food_day
fitbit_get_water_day

Workflow tools:

fitbit_daily_summary
fitbit_weekly_summary

Privacy Model

Tokens are stored locally under ~/.fitbit-mcp/ with user-only permissions. The server never prints access tokens or refresh tokens.

Privacy modes:

summary: minimal fields for safe agent use.
structured: normalized Fitbit data for analysis.
raw: upstream Fitbit JSON, only when explicitly requested.

Health data is sensitive. Do not paste raw payloads publicly. This MCP is for personal context and training/wellness reflection, not diagnosis or treatment.