Hello,
This link explains how to deauthorize an application.
https://developers.strava.com/docs/authentication/#deauthorization
`access_token` is a required param. Does it need to be active? Or can it be expired?
I'm assuming it can be expired. For example, a user should be able to deauthorize an application many days after they initially authorised it.
Thanks!
Deauthorization from the user side doesn't need tokens and they usually don't know these anyway. The deauthorization from your link is the responsibility of your app and of course it needs a valid token, it's even explicitely explained there.
course it needs a valid token, it's even explicitely explained there.
The issue is, if for some reason you no long have access to the access token (for example: it was deleted from your DB), and if the end user is non responsive (frequently happens), there is no way to remove that user from your application.
I’ve interacted with many other fitness APIs, and there is usually a way to deauthorize an athlete from your application without requiring their access token. Usually you just need to supply your application secret id.
update: i just found another thread that raises this exact issue:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.