Oauth1 is going to be deprecated next month

[glena]

Applications should upgrade to OAuth 2.0 by March 14, 2016. OAuth 1.0a support will be removed from the Fitbit Web API on April 12, 2016.

A one hour blackout test will be performed on March 14, 2016. During the test, all OAuth 1.0a requests will fail. You should upgrade your application to OAuth 2.0 by March 14th and use the blackout test as an opportunity to verify no part of your application still uses OAuth 1.0a.

The original OAuth 1.0a documentation can be found here.

https://dev.fitbit.com/docs/oauth2/(edited)

[glena]

it is already supported by passport-fitbit-oauth2