Skip to main content

On the getting started guide in the section F. Why do I need webhooks? it states:



"Per our API terms, you need to implement webhooks to know when an athlete has deauthorized your API application"



What about mobile only applications? We're building a mobile only app and have no intention of managing a backend server because our app does not require one to function.



So are mobile apps exempt from this, or is there a special way to handle this case?

How do users connect your app with their Strava account if there is no backend server where their authorizations can be sent to? Do you plan to parse the failing return URL automatically in your app and can the users afterwards change or withdraw their authorization scopes only in your app then?


Our app uses the strava login via the strava app on the device (same flow as standard oauth). The redirect url is a deeplink back to the mobile application, which accepts the authorizations, or fails if something goes wrong, just like any other oauth flow.

But yeah, the only place they could revoke the authorizations is within our app, which is provided via logout. If they revoked in strava I assume the api would begin rejecting any requests from revoked keys anyway. So I'm not really sure what the issue is.


Reply