Holding your hand through Strava’s API

When the YouTube walkthrough still isn’t enough — a beginner’s step-by-step guide to integrating Strava data into your application using Postman API development platform.

For my first attempt at using an API, I was cautioned not to start with one that requires OAuth. I ignored that advice because I was too excited about integrating Strava into my fitness-related project.

I found a few helpful tutorials, but those assumed a level of understanding of APIs which I didn’t yet have. I’ve compiled this guide for a complete beginner in hopes of saving you the 7 hours that it took me to get this API rolling. Use this in conjunction with the API documentation at http://developers.strava.com/. Let’s get started!

Step 1. Create your application.

Log into your Strava account and head to https://www.strava.com/settings/api. There, you’ll see the form to create an application. Fill in the details and you’ll be presented with a bunch of codes/tokens which will be needed in working the API into your app.

Upon creating your application, you’ll be given a Client ID, Client Secret, Access Token, and Refresh Token which are all used in authorization. The Client Secret, Access Token, And Refresh Token should all be kept secret — I’ve shown them here since this is a dummy app for a fake account.

Step 2. Using Postman to create an API request

I stumbled across Postman when researching how to makeAPI requests. It’s a handy platform which allows you to specify the type of request you are making and then creates a URL based on the parameters you provide. I’ll be including screenshots of the platform as I use it to make requests. I did this instead of making cURL requests via my terminal.

The first request you will make is a GET request to https://www.strava.com/api/v3/athlete using your Access Token. You’ll format the request using a Header with an Authorization key as shown below. The ‘Bearer’ value is to be followed by your Access Token. Keep in mind that the Access Token expires after six hours.

This will output a JSON object containing your athlete data. Cool! This is an exciting first step but it gets trickier from here.

If you poke around http://developers.strava.com/docs/reference/, you’ll see all of the different endpoints you can use to access data from Strava. I was interested in pulling activities from a user, so I found the following endpoint to be of interest.

This page is pretty cool — it shows the GET request URL and sample output. There is an issue, however. That line that I’ve boxed in read indicates that in order to view an athlete’s activities you’ll need to have ‘read_all’ permission. As you can see below (and above on the “My API Application” page), our access defaults to ‘read’ when creating the app. We’ll have to change this.

Step 3. Get authorization code — update scope to ‘read_all’

Strava’s documentation are a little fuzzy regarding the next steps. We need to go into the browser and update the access to ‘read_all’. You can find this link on Strava’s development page: http://www.strava.com/oauth/authorize?client_id=[REPLACE_WITH_YOUR_CLIENT_ID]&response_type=code&redirect_uri=http://localhost/exchange_token&approval_prompt=force&scope=read

**You must change the scope in the above URL from ‘scope=read’ to ‘scope=activity:read_all’ in order to give your app read_all access**

Once the scope has been updated to read_all, go to that URL in the browser. Using my client ID as an example, you’ll see the following page.

Emphasizing the importance of scope=activity:read_all, as highlighted above. Hope to save you the headaches I endured when I messed it up the first time(s).

Once you click ‘authorize’ you’ll reach the following page which will initially make your heart drop because you think you messed up, but you actually didn’t! This page is where you’ll find your access code, as I’ve highlighted below.

Nothing better than realizing that your error message is actually what you wanted — wahoo!

Step 4. Exchange authorization code for a new access token

The next step is to make a POST request to the following URL: https://www.strava.com/oauth/token? and including the following parameters: client_id, client_secret, code, grant_type.

The ‘code’ is the code that was copied from the URL above. The grant_type will be ‘authorization_code’. See the following POST request made in Postman using my app’s Client ID and Client Secret.

That post request results in a JSON object that includes athlete information as well as a new refresh token and access token. We have now successfully given our app read_all scope! The access token will be used in the next step.

Step 5. GET user’s data

Now we can return to the endpoints page and use the new Access Token to retrieve athlete data. In this case, let’s look at the endpoint I had specified earlier, which is found at https://www.strava.com/api/v3/athlete/activities?. You’ll need to make a GET request including the new access token as shown below.

Lo and behold…a JSON object of your 30 most recent activities! Throw the URL in the browser and you’ll see:

Not as pretty but it’s the same thing. I’ve only seeded my dummy account with two activities which you see there. COOL! Congrats on making it this far — I was thrilled when I finally saw my *actual* data displayed. You could use this data to seed an app with your own personal data. Or you can redirect to the authorization page in your app and allow others to retrieve their data, too.

You now know how to authorize Strava in your own app and from here you can parse the data and do all sorts of fun things. Explore the endpoints in Strava’s API docs and enjoy!

Note — Take care not to push any secret codes to Github (I made this mistake the first time). Store your ‘Client Secret’ code in a separate file and include it in your .gitignore so it will not be publicly visible.