Strava OAuth revamp

[dblock]

Hi Developers,

We have been working on some exciting API changes to improve transparency and give our users more control. Read on for a summary of the upcoming changes.

OAuth and Scopes Overhaul
We have overhauled our OAuth experience to make it easier for our users to understand and control how they share their data. The overhaul included introducing new scopes, some changes to existing scopes, and new, more user-friendly OAuth pages. In addition, the email field will be removed from all scopes and from the Athlete object effective January 15th, 2019.

Read more details on scope changes at https://developers.strava.com/docs/oauth-updates/

Refresh Tokens
Beginning on October 15, 2018, we will make available a new version of the Strava OAuth flow that uses short-lived access tokens and refresh tokens.

We want to make this change easier on you, so you will have from now through October 15, 2019, to migrate to the new version of OAuth using short-lived access tokens and refresh tokens. During the migration period, existing forever access tokens will continue to work.

However, on October 15th, 2019, forever tokens will be rejected by the server and any app that has not migrated to the short-lived access tokens will lose access to the Strava API until it is updated to the new token logic.

Read up on migration details and instructions at https://developers.strava.com/docs/oauth-updates/

If you have any questions, please email us at api@strava.com.

Thank you,
Strava API Team

[dblock]

As long as someone doesn't deauthorize your app, you'll be able to request a new short-lived access token using your refresh token. You can then use the access token to make requests on behalf of the authenticated athlete.