Back to Browse
Free
Privacy-first MCP server for Strava activities, streams, routes and training.
About
Privacy-first MCP server for Strava activities, streams, routes and training.
Security Report
4.8
Use Caution4.8High RiskThis is a well-structured MCP server for reading Strava fitness data with appropriate OAuth-based authentication and privacy controls. Authentication is properly implemented via OAuth 2.0 with tokens stored locally under restrictive permissions (0600). The codebase shows good security practices including privacy modes to control GPS data exposure, input validation via Zod schemas, and clear scope management. No critical vulnerabilities or malicious patterns detected. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.
5 files analyzed · 8 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
Strava OAuth client ID. Optional when configured with strava-mcp-server setup.
Environment variable: STRAVA_CLIENT_ID
Strava OAuth client secret. Prefer strava-mcp-server setup so this secret is stored in ~/.strava-mcp/config.json instead of MCP client config.Required
Environment variable: STRAVA_CLIENT_SECRET
Redirect URI configured in the Strava Developer Dashboard. Optional when configured with strava-mcp-server setup.
Environment variable: STRAVA_REDIRECT_URI
Optional local path for OAuth tokens. Defaults to ~/.strava-mcp/tokens.json.
Environment variable: STRAVA_TOKEN_PATH
Optional payload mode: summary, structured, or raw. Defaults to structured. raw means full Strava API payloads, not continuous 24/7 raw sensor telemetry.
Environment variable: STRAVA_PRIVACY_MODE
Optional SQLite cache toggle. Set to true or sqlite to enable.
Environment variable: STRAVA_CACHE
Optional local SQLite cache path. Defaults to ~/.strava-mcp/cache.sqlite.
Environment variable: STRAVA_CACHE_PATH
How to Install
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-davidmosiah-strava-mcp": {
"env": {
"STRAVA_CACHE": "your-strava-cache-here",
"STRAVA_CLIENT_ID": "your-strava-client-id-here",
"STRAVA_CACHE_PATH": "your-strava-cache-path-here",
"STRAVA_TOKEN_PATH": "your-strava-token-path-here",
"STRAVA_PRIVACY_MODE": "your-strava-privacy-mode-here",
"STRAVA_REDIRECT_URI": "your-strava-redirect-uri-here",
"STRAVA_CLIENT_SECRET": "your-strava-client-secret-here"
},
"args": [
"-y",
"strava-mcp-unofficial"
],
"command": "npx"
}
}
}Documentation
View on GitHubFrom the project's GitHub README.
Strava MCP Unofficial
Unofficial, local-first MCP server that lets AI agents read your Strava activities, routes, streams and training context through the official Strava API.
Website: https://stravamcp.vercel.app/
GitHub Pages mirror: https://davidmosiah.github.io/strava-mcp/
Unofficial project: this repository is not affiliated with, endorsed by, sponsored by, or supported by Strava, Inc. Strava is a trademark of its respective owner. Use this project only with your own Strava account and according to Strava's Developer Terms and API policies.
Built by David Mosiah for people building practical AI-agent workflows around training, endurance, routes, activity streams and performance reflection.
What It Does
strava-mcp-server exposes Strava to MCP-compatible agents with a privacy-first local setup:
- OAuth setup, auth and
doctorCLI for non-technical users. - OAuth scope diagnostics:
doctordetects limited tokens before agents hit permission errors. - Agent manifest:
strava_agent_manifestandstrava://agent-manifestgive agents machine-readable install/runtime rules. - Hermes-aware setup:
setup --client hermeswrites a pinned MCP config and a local Hermes skill to reduce terminal/gateway friction. - Activity history: runs, rides, swims, walks, workouts and sport metadata.
- Activity details: distance, moving time, elevation, heart rate, power, relative effort and gear.
- Activity streams: time, distance, altitude, cadence, watts, heartrate and optional GPS lat/lng.
- Athlete profile, zones, aggregate stats, routes, clubs and gear.
- Daily and weekly workflow summaries for training decisions.
- Privacy modes:
summary,structured,raw. - GPS protection by default: raw route geometry and lat/lng streams require explicit intent.
- Optional SQLite cache and local token storage with
0600permissions.
The server runs over MCP stdio, so it works with Claude Desktop, Cursor, Windsurf, Hermes, OpenClaw and other MCP clients.
Install
npx -y strava-mcp-unofficial setup
npx -y strava-mcp-unofficial auth
npx -y strava-mcp-unofficial doctor
doctor should report the recommended scopes as granted:
read activity:read_all profile:read_all
If you only see read, re-run:
npx -y strava-mcp-unofficial auth
For MCP clients, use the package without a subcommand so it starts the stdio server:
{
"mcpServers": {
"strava": {
"command": "npx",
"args": ["-y", "strava-mcp-unofficial"]
}
}
}
Hermes / Server Install
On a remote Hermes server, keep secrets out of chat and MCP client config when possible:
npx -y strava-mcp-unofficial setup --client hermes --no-auth
npx -y strava-mcp-unofficial auth
npx -y strava-mcp-unofficial doctor --client hermes
hermes mcp test strava
If the browser OAuth flow must happen on your local machine, run auth locally, then copy only ~/.strava-mcp/tokens.json to the server with chmod 600. The token must include activity:read_all profile:read_all read for activity history and streams.
Hermes usually exposes names with its MCP prefix. Common direct tools:
mcp_strava_strava_agent_manifestmcp_strava_strava_connection_statusmcp_strava_strava_daily_summarymcp_strava_strava_weekly_summarymcp_strava_strava_get_activity_streams
After editing ~/.hermes/config.yaml, use /reload-mcp or hermes mcp test strava. Do not restart the Hermes gateway for normal Strava data access.
Create A Strava App
Create an app at https://www.strava.com/settings/api.
Recommended callback / redirect URI:
http://127.0.0.1:3000/callback
Default read scopes:
read activity:read_all profile:read_all
Why these scopes:
read: public profile, routes and public Strava resources.activity:read_all: your activities, including private activities visible to your app.profile:read_all: fuller authenticated athlete profile fields.
No write scope is requested by default.
Environment Variables
setup writes these into ~/.strava-mcp/config.json, so most users do not need to manually export them.
export STRAVA_CLIENT_ID="your-client-id"
export STRAVA_CLIENT_SECRET="your-client-secret"
export STRAVA_REDIRECT_URI="http://127.0.0.1:3000/callback"
# Optional
export STRAVA_SCOPES="read activity:read_all profile:read_all"
export STRAVA_PRIVACY_MODE="structured" # summary | structured | raw
export STRAVA_CACHE="sqlite"
Tools
Auth and setup:
strava_agent_manifeststrava_get_auth_urlstrava_exchange_codestrava_revoke_accessstrava_connection_statusstrava_cache_statusstrava_privacy_auditstrava_capabilities
Athlete and training:
strava_get_athletestrava_get_zonesstrava_get_athlete_statsstrava_list_activitiesstrava_get_activitystrava_get_activity_zonesstrava_get_activity_streams
Routes and context:
strava_list_routesstrava_get_routestrava_list_clubsstrava_get_gear
Workflow tools:
strava_daily_summarystrava_weekly_summary
Resources
strava://capabilitiesstrava://agent-manifeststrava://athletestrava://latest/activitystrava://summary/dailystrava://summary/weekly
Prompts
daily_training_directorweekly_endurance_reviewactivity_stream_investigator
Data Boundary
This project uses the official Strava API v3. When this project says raw, it means the upstream JSON returned by supported Strava endpoints.
It does not mean continuous 24/7 sensor telemetry. Strava activity streams are tied to recorded activities and may include data such as heartrate, cadence, watts, altitude, distance and optional GPS lat/lng when Strava has it.
Security Model
- Tokens stay local under
~/.strava-mcp/tokens.json. - Local config is written with user-only permissions.
- MCP tools do not return OAuth tokens.
- Write/upload scopes are not requested by default.
- GPS/map fields are removed from summary mode and limited in structured mode.
- Raw payloads and GPS streams require explicit opt-in.
- This project is not medical advice.
Development
git clone https://github.com/davidmosiah/strava-mcp.git
cd strava-mcp
npm install
npm test
Links
- Docs: https://stravamcp.vercel.app/
- Source: https://github.com/davidmosiah/strava-mcp
- npm: https://www.npmjs.com/package/strava-mcp-unofficial
- Strava API docs: https://developers.strava.com/docs/reference/
- Strava auth docs: https://developers.strava.com/docs/authentication/
Reviews
No reviews yet
Be the first to review this server!
More Developer Tools MCP Servers
Git
Freeby Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
80.0K
Stars
4
Installs
6.5
Security
No ratings yet
Local
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
137
Stars
427
Installs
8.0
Security
4.8
Local
mcp-creator-python
Freeby mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
-
Stars
59
Installs
10.0
Security
5.0
Local
MarkItDown
Freeby Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
120.0K
Stars
17
Installs
6.0
Security
5.0
Local
mcp-creator-typescript
Freeby mcp-marketplace · Developer Tools
Scaffold, build, and publish TypeScript MCP servers to npm — conversationally
-
Stars
14
Installs
10.0
Security
5.0
Local
Google Workspace MCP
Freeby Taylorwilsdon · Productivity
Control Gmail, Calendar, Docs, Sheets, Drive, and more from your AI
1.6K
Stars
13
Installs
7.0
Security
No ratings yet
Local