What do you mean by orphaned?

I suspect the problem you are running in to is with athletes who authorize your app and then stop using it without revoking access. From your point of view those tokens are no longer in use but since the athlete still has your app connected in their account, Strava considers them as a user. With the app still connected to their account that athlete could potentially come back and begin using your app again without having to authorize it, so unfortunately there isn't much you can do. There's no API call which allows you to remove an athlete from your app so you're stuck with either requesting a limit increase or hoping they some day revoke authorization.

That is also my understanding - current when a user disconnects we we try to process a revoke against Strava, but that was not always the case, and if there is an issue with that revoke we drop it rather than hold stuff up.

I was interested to know if Strava had a mechanism (or any plans to implement one) to allow an app to clean up these orphaned tokens

Hi, since the athlete number limit has already been reached, I would like to revoke some inactive athletes, but their refresh tokens are already invalid. What should I do?

Yep, sadly there’s no Strava endpoint to “prune” athletes or revoke them by athlete_id.

Only two ways an athlete stops counting as connected:

1. They disconnect your app on Strava, or

2. You deauthorize via API, but only if you still have a valid token for that athlete.

If you still have their refresh token: refresh → then call /oauth/deauthorize using the new access token.

If the refresh token is already invalid, you can’t deauth them programmatically anymore (no “force revoke” API). At that point you can only:

• mark them disconnected/clean up on your side, and/or

• ask the athlete to disconnect in Strava to actually free capacity.

Also worth double-checking: refresh tokens rotate — if you don’t persist the latest refresh token after each refresh, you’ll end up with “invalid refresh token” for active users. And if you use webhooks, handle the authorized=false deauth event to purge tokens immediately.