Recently Updated - February 16, 2019. Updated as Strava API has new authentication scopes.
While Strava Developer Challenge 2016 was under way last September, I spent quite some time playing around with Strava API V3.
In order to access the API, the first step is to get an access token. The API application settings page provides a public access token to get started.
However, Strava has defined seven different types of permissions to access the API:
Please refer to the official documentation for what each scope represent.
The access token retrieved via
My API Application has the default permission, which means it can only read public profile. But I was writing some simple scripts to delete and upload new activities, which requires an access token with write permission. So how to quickly get a Strava access token with write access without code up a web application with OAuth2 authorization flow?
After some investigation, here are the steps as below.
Get authorization code
Create a request URL for Strava authorization, where the base URL is
https://www.strava.com/oauth/authorizeand parameters are:
client_id your application’s ID, obtained during registration redirect_uri URL to which the user will be redirected with the authorization code.
A random but unique one on localhost should be fine.
response_type must be 'code' scope 'read', 'read_all', 'profile:read_all', 'profile:write', 'profile:write', 'activity:read', 'activity:read_all', 'activity:write'
- Go to above URL in browser. (HTTP GET)
- Login to Strava then click 'Authorize' and tick the required permissions if needed.
- Browser should go to 404 as
Copy the authorization code from URL. For example,
The authorization code for next step is
Use any HTTP Rest Client to perform POST to
https://www.strava.com/oauth/token as defined in documentation here.
client_id: your application’s ID, obtained during registration
client_secret: your application’s secret, obtained during registration
code: authorization code from last step
grant_type: the grant type for the request. For initial authentication, must always be "authorization_code".
$ curl -X POST https://www.strava.com/oauth/token \ -F client_id=5 \ -F client_secret=[REPLACE_WITH_YOUR_CLIENT_SECRET] \ -F code=c498932e64136c8991a3fb31e3d1dfdf2f859357 -F grant_type=authorization_code