You are not missing anything. At the moment it is not possible to remove/revoke access for an athlete. The only option you have is to ignore any events which come in for users that do not exist in your database.
Thank you for replying @ActivityFix.
Its a shame this isn't available. I have already written the code to ignore these incoming events, but its just unnecessary noise.
I just got an email stating you can DeAuthorize an athlete. Link here
However, the challenge I have is that I have removed the Athlete data already, so I dont have the token. However whent he sub call happens I do get the AthleteID so I was hoping I could deauthorize using this? As my thought is that DeAuthorizing shouldnt be a security issue or any other issue from user/strava point of view?
Agreed - I think it makes a lot of sense to be able to deauth users. It’s not hard to drop events but it doesn’t feel proper.
Deauthorization is totally possible (you just make a POST request to https://www.strava.com/oauth/deauthorize), but you obviously need a valid access token. Otherwise anybody could deauthorize your app for any given athlete.
Since you already deleted the athlete from your database, your only choice is to have the user log into your app again so that you can re-obtain the access token. Until then, just keep ignoring the webhook events.
So I managed to find out who the user was using the ID and the url to find the actual athlete. As my app is mainly cycling friends it was easy for them to remove themselves.
However, I agree, we as the app owners should be able to remove users if needed. This isnt a security issue, as you still need to provide your key to access strava api to carry out this removal.
Strava should stop sending events if a user deauthorized!
So the question is why strava is sending webhook events if a user deauthorized???
It is strava responsibility to make sure they stop sending events in such case.
There is something off on the Strava side I belive.