In answer to my own question, I have found the following -
The 'official node' (node-red-node-fitbit (node) - Node-RED) does not seem to want to authenticate. it looks like it is old (last release says nearly 12 years) and FitBit have updated their authentication methods. Maintainer is listed as @dceejay but that may be as it is also part of a wider set of flows.
There is a contrib node (node-red-contrib-fitbit (node) - Node-RED) but again has not had any updates recently. It may work, but I could not get the right callback URL.
However, there is a fork of the contrib node (GitHub - inglevir/node-red-contrib-fitbit) which does work and has had some recent updates to it.
You do need to set your Node-RED instance up using https, but other than that the authentication worked first time and it usefully provides the correct callback URL.
Is there any appetite to get a 'core' node working well and develop the data recovered from the API? My JS is not up to it, but happy to test .
I'd also like to write data to FitBit as well.
The forked node does what I need right now (which was to get the Battery Level) so I can trigger some reminders to charge/take off charge which was my primary driver at the start of this.
After more investigations, it is clear these nodes are designed to work with an old API that only probably still works as it is a legacy format. Take a list of activities (API Docs Get Activity Log List) the API docs suggest the URL should be of a format such as;
The forked node is generating a URL like (ignore the distance parameter)
I suspect changing the format might be relatively easy if I understood enough JS. I think probably the nodes need an extensive update to match the API.