I think I found something here: https://developers.strava.com/docs/webhooks/

---

 "For app deauthorization events, there is always an "authorized" : "false" key-value pair."

---

I'm trying to test this, but it doesn't look like a notification is sent when the user revoke access to an app.

I can't seen to find any more info, would anyone be able to help?

Thanks

I have related question. Is it possible that Strava sends authorize:false event several days AFTER revoking? Or maybe is repeating that webhook event? I had a case I revoked on my test user, then connected again. All worked as expected and then after a week I am receiving authorize:false again and my user is deauthorized!

Is it possible? That case happened for two users and both events was send in the same batch from Strava and processed together within my 2 minutes interval.

I have checked my security flow and I am sure there is no way for someone else to push such event to my app.

Yes, I know how deauthorization works.

I have two strava apps with webhooks, different implementation not the copy paste code.

In both apps sometimes I receive deauthorization webhook event and a user confirms they did not click revoke in Strava, any ideas?

Hi @blasbike I haven't noticed this behaviour. 

After having a lot of trouble trying to find the problem, I noticed that our firewall was blocking the Strava webhook events. Strava also added new IPs that needed to be whitelisted (https://communityhub.strava.com/t5/developer-discussions/whitelist-ip-address-webhook/m-p/33492).

It's pity Strava doens't notify when changes like this happen.