Showing results for 
Search instead for 
Did you mean: 

ERROR - code: 'missing'

Mt. Kenya


I'm trying to build a personal website that displays my weekly mileage through Strava's API!

Unfortunately I keep getting the following error:

message: 'Authorization Error',
  errors: [
      resource: 'AccessToken',
      field: 'activity:read_permission',
      code: 'missing'

I read a lot of forums online, videos, and the docs, I can't crack this problem and solve it.

I printed out token request & response in my terminal, here it is:

Token Request URL:[KEEPING THIS PRIVATE] &refresh_token=[KEEPING THIS PRIVATE]&grant_type=refresh_token&response_type=code&approval_prompt=auto&scope=activity%3A+read_all
Token Response: {
  token_type: 'Bearer',
  access_token: '[KEEPING THIS PRIVATE]',
  expires_at: 1707040367,
  expires_in: 20581,
  refresh_token: '[KEEPING THIS PRIVATE]'

As you can see, the URL is set to the scope = activity: read_all.

I'm a little baffled on why I keep getting this problem.

Here's my JS code, perhaps it'll give some clues into the error:

export default async (req, res) => {
    const headers = {
        'Accept': 'application/json, text/plain, */*',
        'Content-Type': 'application/json'

    const body = new URLSearchParams({
        client_id: process.env.STRAVA_CLIENT_ID,
        client_secret: process.env.STRAVA_SECRET,
        refresh_token: process.env.STRAVA_REFRESH_TOKEN,
        grant_type: 'refresh_token',
        response_type: 'code',
        approval_prompt: 'auto',
        scope: 'activity: read_all',
    console.log('Token Request URL:', `${body.toString()}`);
    const reauthorizeResponse = await fetch(`${body.toString()}`, {
        method: 'post',
        headers: headers
    // ... Rest of your code ...
    const reAuthJson = await reauthorizeResponse.json();

    console.log('Token Response:', reAuthJson); // Log token response for debugging

    // Calculate the start and end timestamps for the past week in seconds
    const endDate = Math.floor( / 1000); // current date in seconds
    const startDate = endDate - (7 * 24 * 60 * 60); // 7 days ago in seconds

    const apiUrl = `${reAuthJson.access_token}&after=${startDate}&before=${endDate}`;

    const response = await fetch(apiUrl);
    const activities = await response.json();

    // Ensure activities is an array (if it's an object, convert it to an array)
    const activitiesArray = Array.isArray(activities) ? activities : [activities];

    // Calculate total distance for the week
    const weeklyMileage = activitiesArray.reduce((total, activity) => {
        if (activity.type === 'Run' && activity.distance) {
            total += activity.distance / 1000; // Convert meters to kilometers
        } else {
            // Log activity details for debugging
            console.log('Skipped activity:', activity);
        return total;
    }, 0);

    return res.status(200).json({

I'd really value any guidance!

I've been trying to figure out a solution for the past 4 hours.



Your error message says you are missing the activity:read permission (which is a subset of activity:read_all). In your code there's a space between "activity:" and "read_all" and you can also see it in the URL you posted with the extra + character in the scope request.[KEEPING  THIS PRIVATE]&refresh_token=[KEEPING THIS PRIVATE]&grant_type=refresh_token&response_type=code&approval_prompt=auto&scope=activity%3A+read_all

See for all of the scopes. While your authentication request is succeeding, the scopes it is requesting are invalid and my guess is that you're only getting plain "read_all" if anything.


I see it defined like this in some other JavaScript on this forum


    headers = {
        'Authorization': f'Bearer {token.get("token")}'



This line seems like it could be an issue.

const apiUrl = `${reAuthJson.access_token}&after=${startDate}&before=${endDate}`;

Is it OK to pass the access token as a query parameter versus a new header entry in your request?

"Authorization" : "Bearer kdfjsfjsdffsf......"