Skip to main content

Hey!

I'm trying to build a personal website that displays my weekly mileage through Strava's API!

Unfortunately I keep getting the following error:

message: 'Authorization Error',

errors: [

{

resource: 'AccessToken',

field: 'activity:read_permission',

code: 'missing'

}

]

I read a lot of forums online, videos, and the docs, I can't crack this problem and solve it.

I printed out token request & response in my terminal, here it is:

Token Request URL: https://www.strava.com/oauth/token?client_id=108355&client_secret=[KEEPING THIS PRIVATE] &refresh_token=[KEEPING THIS PRIVATE]&grant_type=refresh_token&response_type=code&approval_prompt=auto&scope=activity%3A+read_all

Token Response: {

token_type: 'Bearer',

access_token: '[KEEPING THIS PRIVATE]',

expires_at: 1707040367,

expires_in: 20581,

refresh_token: '[KEEPING THIS PRIVATE]'

}

As you can see, the URL is set to the scope = activity: read_all.

I'm a little baffled on why I keep getting this problem.

Here's my JS code, perhaps it'll give some clues into the error:

export default async (req, res) => {

const headers = {

'Accept': 'application/json, text/plain, */*',

'Content-Type': 'application/json'

};



const body = new URLSearchParams({

client_id: process.env.STRAVA_CLIENT_ID,

client_secret: process.env.STRAVA_SECRET,

refresh_token: process.env.STRAVA_REFRESH_TOKEN,

grant_type: 'refresh_token',

response_type: 'code',

approval_prompt: 'auto',

scope: 'activity: read_all',

});



console.log('Token Request URL:', `https://www.strava.com/oauth/token?${body.toString()}`);



const reauthorizeResponse = await fetch(`https://www.strava.com/oauth/token?${body.toString()}`, {

method: 'post',

headers: headers

});



// ... Rest of your code ...



const reAuthJson = await reauthorizeResponse.json();



console.log('Token Response:', reAuthJson); // Log token response for debugging



// Calculate the start and end timestamps for the past week in seconds

const endDate = Math.floor(Date.now() / 1000); // current date in seconds

const startDate = endDate - (7 * 24 * 60 * 60); // 7 days ago in seconds



const apiUrl = `https://www.strava.com/api/v3/athlete/activities?access_token=${reAuthJson.access_token}&after=${startDate}&before=${endDate}`;



const response = await fetch(apiUrl);

const activities = await response.json();



// Ensure activities is an array (if it's an object, convert it to an array)

const activitiesArray = Array.isArray(activities) ? activities : [activities];



// Calculate total distance for the week

const weeklyMileage = activitiesArray.reduce((total, activity) => {

if (activity.type === 'Run' && activity.distance) {

total += activity.distance / 1000; // Convert meters to kilometers

} else {

// Log activity details for debugging

console.log('Skipped activity:', activity);

}

return total;

}, 0);



return res.status(200).json({

weeklyMileage

});

};

I'd really value any guidance!

I've been trying to figure out a solution for the past 4 hours.

This line seems like it could be an issue.

const apiUrl = `https://www.strava.com/api/v3/athlete/activities?access_token=${reAuthJson.access_token}&after=${startDate}&before=${endDate}`;

Is it OK to pass the access token as a query parameter versus a new header entry in your request?

"Authorization" : "Bearer kdfjsfjsdffsf......"


I see it defined like this in some other JavaScript on this forum

 

headers = {
'Authorization': f'Bearer {token.get("token")}'
}

 


Your error message says you are missing the activity:read permission (which is a subset of activity:read_all). In your code there's a space between "activity:" and "read_all" and you can also see it in the URL you posted with the extra + character in the scope request.

https://www.strava.com/oauth/token?client_id=108355&client_secret=[KEEPING  THIS PRIVATE]&refresh_token=[KEEPING THIS PRIVATE]&grant_type=refresh_token&response_type=code&approval_prompt=auto&scope=activity%3A+read_all

See https://developers.strava.com/docs/authentication/#detailsaboutrequestingaccess for all of the scopes. While your authentication request is succeeding, the scopes it is requesting are invalid and my guess is that you're only getting plain "read_all" if anything.


Reply