Strava API Guide: How to Authenticate using OAuth 2.0 and Query for Athlete Data

Strava's documentation for authenticating with their API is somewhat convoluted and not entirely straightforward. To help the situation, this guide will walk you through the process of authenticating with Strava's API, and by the end of it, you'll obtain an auth token that can then be used to fetch athlete data.


High-level steps

Overall the process is pretty simple, it's just a matter of getting the details right --

  1. Register (an application) with Strava.

  2. Obtain an authorization code.

  3. Request an access_token.

  4. Query for an athlete's activity data.

What you'll need

As for the tools & technologies required, you really just need:

  • A Strava account

  • Chrome, Firefox, or Edge

  • Postman (or similar)


Register your application

First, you'll need to "register an API application" with Strava, though, you don't actually have to have an application to do so. By going through this process, Strava will create a Client ID and Client Secret for you that you can then use to authenticate with.

To register, go to Settings -> My API Application.

Obtain an Authentication Code

The purpose of this step is to get an authentication code.

The base URL for obtaining an auth code is https://www.strava.com/oauth/authorize. From there, five additional variables need to be provided (as query parameters):

client_id = 12345 //obtained from My API Application page
redirect_uri = "http://localhost/oranges" //any local URL that's not real
response_type = "code" 
approval_prompt = "auto" 
scope = "read_all,activity:read_all" //permission(s) you want to allow

Putting it all together, you should have a URL similar to:

https://www.strava.com/oauth/authorize?client_id=12345&redirect_uri=http://localhost/oranges&response_type=code&approval_prompt=auto&scope=read_all,activity:read_all

Copy & paste this URL into a browser, hit Enter, and you'll be presented with an Authorize form that details the permissions to be granted to the auth token.

After selecting "Authorize" you'll be redirected to the page that was provided in the redirect_uri field. Within that URI there should be a code= portion --

This alphanumeric value is the authorization_code that we want to copy out and use moving forward.

Request an Access Token

With the authorization code in hand, we'll now step over to Postman to make a request that'll return an auth token.

In the request you'll have the following query parameters, with the base URL being https://www.strava.com/oauth/token:

A valid response will include the access_token along with the athlete's profile data:

{
    "token_type": "Bearer",
    "expires_at": 1686524165,
    "expires_in": 21600,
    "refresh_token": "8gB3wE4pX5fQ2mL9rD6cV7zS1nY0tK1aU7oG2eR4",
    "access_token": "3nV7mC2oB1dR9xZ6tY0pW4qK5eL8sG7hJ2uF3",
    "athlete": {
        "id": 123456,
        "username": "username",
        "resource_state": 2,
        "firstname": "firstname",
        "lastname": "lastname",
        "bio": "Gotta run....",
        "city": "city",
        "state": "state",
        "country": "country",
        "sex": "sex",
        "premium": false,
        "summit": false,
        "created_at": "2018-06-10T14:33:54Z",
        "updated_at": "2023-06-11T15:52:55Z",
        "badge_type_id": 0,
        "weight": 85.1234,
        "profile_medium": "https://some.profile.image/medium.jpg",
        "profile": "https://some.profile.image.jpg",
        "friend": null,
        "follower": null
    }
}

And that's it! You can now use this access_token to make further requests to other Strava endpoints, just make sure the token was granted proper scope and that it hasn't expired.

For more information on scope, see Strava Developers | Details About Requesting Access.

Thanks for reading and as always, happy coding!

0
Subscribe to my newsletter

Read articles from Charles Whitehead directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Charles Whitehead
Charles Whitehead

I've been in the software industry for about a decade, currently working as an Azure DevOps Engineer in Human Healthcare. I hold a B.S. in Computer Science and am a Microsoft Azure Administrator. In my personal life I enjoy traveling, playing piano, running, reading, and spending time with family & friends.