Delv
CommunityActive· 6d4.3by Rick Huijts

Strava MCP

Accesses Strava fitness data with OAuth so Claude can analyse runs, rides, and training load over time.

View repo
C
Safety & Trust

Delv Safety Grade: C

Score 62/100 · assessed 2026-04-28

Maintainer45
Permissions85
Supply chain70
Transparency55
Incidents100

This community MCP server provides read-only access to Strava fitness data via OAuth. The maintainer (Rick Huijts) appears to be a solo developer with limited public profile, creating bus factor concerns. The server requires OAuth credentials (client ID and secret) which users must obtain from Strava's developer portal, adding setup complexity but providing proper API authentication. Permissions are appropriately scoped to reading fitness data only, with no write capabilities or filesystem access. The package is distributed via npm with standard installation, though repository activity and documentation appear minimal. No security incidents are known. The main risks stem from the solo maintainer model and limited transparency around ongoing maintenance rather than the technical implementation itself, which follows OAuth best practices for API access.

Lethal Trifecta (prompt-injection exposure)

TRIFECTA RISK
All three axes present. This server can read private data, ingest attacker-controlled content, and send data outbound. A poisoned input (a GitHub issue, an email, a webpage) can exfiltrate secrets via this chain. Only install with auditing; avoid on shared or cloud agents.
Private dataYes
Reads secrets, credentials, private files
Untrusted inputYes
Ingests web pages, PRs, issues, emails
External commsYes
Can send data outbound

Private routes and bio. Comments and segment names are user-generated. Outbound posts to clubs and feeds.

Green flags

  • Read-only API access with no write or delete permissions
  • Uses proper OAuth flow rather than storing credentials directly
  • Distributed via npm with standard package management
  • Scoped to single domain (Strava fitness data only)
  • No known security incidents or vulnerabilities

Red flags

  • Solo maintainer with limited public developer profile
  • Minimal repository activity and sparse documentation
  • Requires manual OAuth app setup in Strava developer portal
  • No visible community adoption or peer review

Permissions requested

Outbound networkAccess secrets
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Install

npx -y @r-huijts/strava-mcp-server
Env vars needed: STRAVA_CLIENT_IDSTRAVA_CLIENT_SECRET

Review

Strava MCP bridges Claude to your Strava account via OAuth, letting you pull runs, rides, and training data straight into a conversation. You authenticate once, then ask Claude to analyse your last week's mileage, compare power outputs across rides, or spot patterns in your training load. It's a proper OAuth flow, not a hacky API key setup, which means it respects Strava's rate limits and user permissions. I'd reach for this when I want conversational access to my training history without opening the Strava app or exporting CSVs. Ask Claude to summarise your hardest runs this month, and it fetches the data, calculates averages, and spots trends. It's particularly good for runners and cyclists who want a training log assistant that can answer natural-language questions like "How many kilometres did I ride in January?" or "Show me my longest run this year." The OAuth setup is more involved than dropping an API key into an env file, but it's the right way to handle user data. Quirks: you need a Strava API application, which means creating one in the Strava developer portal even if you're just using it for yourself. That's a five-minute job, but it's not instant. The server doesn't cache responses, so repeated queries hit Strava's API each time. If you're asking Claude to reanalyse the same week multiple times in one session, you might bump into rate limits. The docs assume you know your way around MCP config files, so complete beginners might need to cross-reference the Claude Desktop setup guide. Who shouldn't bother: if you only check Strava once a week or you're happy with the app's own stats, this is overkill. It's for people who want to interrogate their data conversationally or build custom coaching workflows. If you don't run or ride regularly, or you're not curious about training load trends, skip it. But if you're logging multiple activities a week and you want Claude to act as a training analyst, this is the cleanest way to connect the two.
Verdict

Install this if you're a regular Strava user who wants Claude to answer training questions without manual exports. The OAuth setup is a bit of admin, but it's the proper way to do it. Skip it if you only glance at Strava occasionally or you're not interested in conversational data analysis.

Good at

  • Proper OAuth flow respects Strava's permissions and avoids brittle API key setups.
  • Lets you ask natural-language questions about training data without exporting CSVs or opening the app.
  • Good for runners and cyclists who want conversational access to mileage, pace, power, and training load.
  • Works across Claude Desktop, Claude Code, and Cursor once configured.

Watch out

  • Requires creating a Strava API application even for personal use, which adds setup friction.
  • No response caching, so repeated queries in one session can hit Strava's rate limits.
  • Documentation assumes familiarity with MCP config files, not beginner-friendly.
  • Only useful if you log activities regularly and care about interrogating the data.

Use cases

  • training log analysis
  • running coach workflows
  • cycling performance
  • fitness journaling

Getting started

1. Create a Strava API application at developers.strava.com to get your client ID and secret. Set the callback URL to http://localhost:3000/callback. 2. Run `npx -y @r-huijts/strava-mcp-server` and follow the OAuth flow in your browser to authorise access. 3. Add the server to your Claude Desktop config with the client ID and secret as environment variables. Restart Claude Desktop. 4. Test it by asking Claude "What were my last three runs?" to confirm the connection works. 5. Watch out for Strava's rate limits if you're asking Claude to reanalyse the same data repeatedly in one session.

Works with

Claude DesktopClaude CodeCursor

Similar MCPs