Strava MCP Server – Seamless OAuth Integration for AI Assistants

The Strava MCP server solves a common pain point for developers building AI‑powered applications that need to access users’ fitness data: managing OAuth authentication while keeping the MCP architecture clean and secure. By running on Cloudflare Workers, it offers a globally distributed, low‑latency endpoint that acts both as an OAuth provider for your AI client and as an OAuth consumer of Strava’s API. This dual role eliminates the need for separate authentication services, streamlines token handling, and guarantees that user credentials never touch your own servers.

At its core, the server exposes a standard MCP interface. When an AI assistant (e.g., Claude) connects to the endpoint, it receives a stream of tool definitions and prompts that are dynamically gated by the authenticated user’s Strava token. The server stores each user’s access and refresh tokens in Cloudflare KV, ensuring persistence across restarts while keeping secrets out of the application code. The built‑in OAuth flow directs users to Strava’s consent screen, then captures the callback and issues a short‑lived MCP session token that the AI client can use for subsequent requests.

Key capabilities include:

• OAuth 2.1 compliance – the server handles token issuance, revocation, and refresh logic automatically.
• Secure storage – tokens are encrypted in Cloudflare KV, with automatic rotation of session keys.
• Conditional tool availability – tools are exposed only to users who have granted the required scopes, preventing accidental data leaks.
• Rate‑limit awareness – the server tracks Strava’s API limits (200 requests per 15 min, 2 000 per day) and throttles or queues calls to stay within bounds.

Typical use cases span fitness analytics dashboards, personalized coaching bots, and workout‑tracking integrations. For example, a developer can create an AI assistant that suggests training plans based on recent rides; the MCP server ensures that each user’s data is isolated and securely accessed without exposing their Strava credentials. Because the server runs on Cloudflare Workers, it scales automatically and benefits from built‑in DDoS protection and edge caching.

Integrating this MCP into an AI workflow is straightforward: the assistant’s configuration points to the server’s SSE endpoint, and the OAuth flow is initiated automatically when a new user connects. Once authenticated, the assistant can call Strava endpoints via defined MCP tools, receive real‑time updates, and store user preferences in the durable storage layer. This tight coupling of authentication, state management, and tool definition makes the Strava MCP server a powerful, turnkey solution for developers looking to embed fitness data into conversational AI experiences.