While Strava Developer Challenge 2016 was under way last September, I spent quite some time playing around with Strava API V3.
In order to access the API, the first step is to get an access token, the process is rather straightforward as shown in documentation:
All calls to the Strava API require an
access_tokendefining the athlete and application making the call. Any registered Strava user can obtain an
access_tokenby first creating an application at labs.strava.com/developers.
The API application settings page provides a public access token to get started. See the Authentication page for more information about generating access tokens and the OAuth authorization flow.
However, Strava has defined four different types of permissions to access the API:
public: default, private activities are not returned, privacy zones are respected in stream requests
write: modify activities, upload on the user’s behalf
view_private: view private activities and data within privacy zones
view_private,write: both ‘view_private’ and ‘write’ access
The access token retrieved via
My API Application has the default permission, which means it can only read public activities. But I was writing some simple scripts to delete and upload new activities, which requires an access token with write permission. So how to quickly get a Strava access token with write access without code up a web application with OAuth2 authorization flow?
After some investigation, here are the steps as below.
Get authorization code
Create a request URL for Strava authorization, where the base URL is
https://www.strava.com/oauth/authorizeand parameters are:
client_id your application’s ID, obtained during registration redirect_uri URL to which the user will be redirected with the authorization code.
A random but unique one on localhost should be fine.
response_type must be 'code' scope 'public', 'write', 'view_private', 'view_private,write'
- Go to above URL in browser. (HTTP GET)
- Login to Strava and click 'Authorize' if needed.
- Browser should go to 404 as
Copy the authorization code from URL. For example,
The authorization code for next step is
Use any HTTP Rest Client to perform POST to
https://www.strava.com/oauth/token as defined in documentation here.
client_id: your application’s ID, obtained during registration
client_secret: your application’s secret, obtained during registration
code: authorization code from last step
$ curl -X POST https://www.strava.com/oauth/token \ -F client_id=5 \ -F client_secret=7b2946535949ae70f015d696d8ac602830ece412 \ -F code=5919f3e385c6cb039bcc809f27d1e535e36b7a91