Skip to main content

I found this conversation here where a man named John said that he was able to bypass the limitations of the getClubActivitiesById endpoint by having people authenticate his app, allowing him full access to their activity details at the level they authorize.


Is there any validity to this, or do you guys have any ideas as to what this would look like? I don't think that them authenticating your app would give you more access to their activities through the getClubActivitiesById endpoint, given there's a response data limitation there to such few fields. Theoretically, how would I get the extra details? Would I have to use the "List Athlete Activities" endpoint, but that endpoint doesn't have any extra parameters for the request URL?


In an attempt to do this myself, I sent them a link like this:


https://www.strava.com/oauth/authorize?client_id=<myClientId>&response_type=code&redirect_uri=http://localhost/exchange_token&approval_prompt=force&scope=activity:read_all


When they logged in with this link, they were able to authenticate my app by clicking on "Authorize." I then tried testing with the Swagger playground on the endpoint https://developers.strava.com/playground/#/Activities/getActivityById but it failed to retrieve their activities. I also tried the endpoint https://developers.strava.com/playground/#/Athletes/getLoggedInAthlete but of course this just returned my information.


Does the link they use need to have a client ID of their own? I ask because the link I sent them to authenticate my app was my client ID, but I thought that the client ID is associated with my application and thus is needed.


 

To me, it really doesn't make sense why the club data shouldn't include the same amount of information as what you can see for your own, authenticated activities. If the athlete joins your club knowing that their information will be grabbed on their activities, I don't see the issue. I suggest this be changed in the future as it will save developers like me a ton of hassle for these data limitation issues.


The club endpoints in the Strava API are severely lacking in the information provided since there isn't a unique identifier for the athlete or activity. Unless it is a very small club where every athlete has a unique name you're going to have a difficult or impossible time correlating the data from getClubActivitiesById to any specific athlete. The suggestion made by John in the post you linked is taking a completely different approach and generally ignoring any of the club-specific endpoints. Instead, by having each athlete authorize the app you can get a list of their recent activities (getLoggedInAthleteActivities) and clubs (getLoggedInAthleteClubs) and build your dataset from that information. How you do this will depend on your specific application -- ideally you would use webhooks and process each activity as it comes in, as this would be the most efficient use of your API limits. Alternatively you could periodically call getLoggedInAthleteActivities for each athlete to get their recent activities, ignoring those you have already processed.

To your second question on authenticating athletes, the final part of the oauth flow provides a token and refresh token for the athlete (see https://developers.strava.com/docs/authentication/#tokenexchange). To my knowledge the Swagger playground on Strava will only work for you since the authorize button is authorizing using your logged in account. If you want to get information for another athlete you would need to use their token so you'd need to write your own code to access the API using and pass their token along. There are Strava libraries for most languages so you could use one of those, or another good option for experimenting is to use postman.


Thank you so much for the reply! This has helped a lot. After playing around and using one of my friends as a guinea pig, I was able to get his activities in my Google App Script (thanks to Postman). The next challenge is using his refresh token to retrieve his constantly-changing (every 6 hours) access token in the script! Let's see how this goes.


How were you able to get his activities? I need to do this, and I am so lost. 


Reply