OAuth Updates

Update: The migration period ended on October 15, 2019

The migration period ended on October 15, 2019 and forever tokens will no longer work. If you did not migrate you will need to reauthorize your users in order to get new tokens. When your users log in, we recommend sending them to authorize with Strava again. If you are having trouble implementing OAuth, please view this guide: https://developers.strava.com/docs/getting-started/#oauth

Refresh Tokens Update

October 15, 2018, marks the beginning of a one year migration period for the Strava OAuth flow.

Prior to this date, anytime an athlete granted access to an application, that app received an access token with no expiration date (also called “forever tokens”). Starting on October 15, 2018, the OAuth endpoints should be used to obtain short-lived access tokens and refresh tokens instead. While the forever tokens will continue to work through October 15, 2019, all applications should be migrated to the new refresh token pattern as soon as possible.

Exchanging your forever tokens for new short-lived tokens will not affect your rate limits.

Scopes Update

In addition, refresh tokens will come with new authorization scopes that increase transparency and control for users. The new scopes follow a pattern of {entity}:{access_level}. Note that new scopes only applies to refresh tokens, and only the legacy forever tokens can use old scopes. As before, a user may opt out of any scope that is requested by the application. It is up to the application to validate the list of scopes granted by the user and provide appropriate error messages if the scopes approved by the user are insufficient for the app to function.

The complete list of authorization scopes after this change is as follows:

  • read - Allows access to public segments, public routes, public profile data, public posts, public events, club feeds, and leaderboards. This scope matches the old default scope, except it no longer includes access to activities and certain athlete endpoints mentioned below.
  • read_all - Allows access to view private routes, private segments, and private events. This scope matches the old view_private scope, except that it no longer includes access to private activities.
  • profile:read_all - NEW! Allows access to read all profile information even if the user has set their profile visibility to “Followers” or “Only You.”
  • profile:write - NEW! Allows access to update the user’s weight and Functional Threshold Power (FTP), and access to star or unstar segments on their behalf.
  • activity:read - NEW! Allows access to read the user’s activity data for activities that are visible to “Everyone” and “Followers.”
  • activity:read_all - NEW! Allows the same access as activity:read, plus access to read the athlete’s activities that are visible to “Only You.”
  • activity:write - NEW! Allows access to create manual activities and uploads, and access to edit any activities that are visible to the app (based on activity read access level).

When you exchange a forever token for a short-lived access token following our migration instructions, we will automatically convert old scopes to new scopes (as shown below) so that you have the same API access for that user with your new tokens. For example, if your user had view_private before, when you exchange a forever token for a short-lived access token, you will automatically get read_all, activity:read_all and profile:read_all for that user. You do not have to email all users and reauthorize them in order to continue being able to access data on their behalf.

scope on forever token scope on short-lived access token
(no scope) read and activity:read
write activity:write and profile:write
view_private read_all, activity:read_all and profile:read_all

Translating the scopes of forever tokens this way will not broaden the access an app has to any existing users. However, in the case of a forever access token without view_private access, the short-lived access token will no longer be able to access the detailed athlete model nor the getLoggedInAthleteZones endpoint. The detailed athlete and logged in athlete zones were previously available under the default (no scope) - for apps that require this access but do not have view_private tokens, the app should request that existing users re-authorize in order to grant profile:read_all access.

If an application needs any functionality that has moved to a new scope (such as reading activities), that application must request the appropriate new scope(s) for any new users going forward.

Important Dates

October 15, 2018

New OAuth endpoints for acquiring short-lived access tokens and refresh tokens are available. New scopes are available.

January 15, 2019

Email address is no longer part of the profile:read_all scope and is removed from the athlete model.

October 15, 2019

Forever tokens are rejected by the server. Old OAuth endpoints for obtaining forever tokens are removed.

If you need support, please check our developer forum. Remember, never share access tokens, refresh tokens, authorization codes, or your client secret in a public forum.