On Jun 24, 2011, at 10:06 AM, Calixto Melean wrote:
> When a user revokes access to a given application using fitbit's web page, is there a reason why you don't remove the corresponding subscriptions for notifications? > > This is probably not a common use case, but if we try to sign up the user again for the same application, the API returns an error indicating there is an existing subscription, even though the user has previously revoked access.
Doesn't your application still have a record for that user, and know that there's still an outstanding subscription?
In other words, I'd expect that if this user were to re-authenticate and receive a new token, subscriptions would continue to work under the previous subscription.
You do raise a good point though—if we are still notifying your application that data is available for a user who has revoked access, that would seem to be a privacy concern, although really the only information you glean is that the user recorded activity on a particular date, not what that activity was.
Maybe we should add an additional subscription notification type to let subscription applications know that a particular user has revoked access, so the application can cleanup any records it might be storing.