TrainingPeaks MCP Server

Connect TrainingPeaks to Claude and other AI assistants via the Model Context Protocol (MCP). Query workouts, build structured intervals, manage your calendar, track fitness trends, and control your training through natural conversation.

No API approval required. The official Training Peaks API is approval-gated, but this server uses secure cookie authentication that any user can set up in minutes. Your cookie is stored in your system keyring, never transmitted anywhere except to TrainingPeaks.

What You Can Do

Ask your AI assistant things like:

• "Build me a 4x8min threshold session for Tuesday with warm-up and cool-down"

• "Compare my FTP progression this year vs last year"

• "Copy last week's long ride to this Saturday"

• "Log my weight at 74.5kg and sleep at 7.5 hours"

• "What's my weekly TSS so far? Am I on track for my ATP target?"

• "Show my race calendar and how many weeks until my A race"

• "Set my FTP to 310 and update my power zones"

• "Add a calendar note for next Monday: rest day, travel"

Tools (52)

Workouts

Analysis & Performance

Athlete Settings

Health Metrics

Equipment

Events & Calendar

Workout Library

Reference & Auth

Setup Options

Option A: Auto-Setup with Claude Code

If you have Claude Code, paste this prompt:

Set up the TrainingPeaks MCP server from https://github.com/JamsusMaximus/trainingpeaks-mcp - clone it, create a venv, install it, then walk me through getting my TrainingPeaks cookie from my browser and run tp-mcp auth. Finally, add it to my Claude Desktop config.

Claude will handle the installation and guide you through authentication step-by-step.

Option B: Manual Setup

Step 1: Install

git clone https://github.com/JamsusMaximus/trainingpeaks-mcp.git
cd trainingpeaks-mcp
python3 -m venv .venv
source .venv/bin/activate  # Windows: .venv\Scripts\activate
pip install -e .

Step 2: Authenticate

Option A: Auto-extract from browser (easiest)

If you're logged into TrainingPeaks in your browser:

pip install tp-mcp[browser]  # One-time: install browser support
tp-mcp auth --from-browser chrome  # Or: firefox, safari, edge, auto

macOS note: You may see security prompts for Keychain or Full Disk Access. This is normal - browser cookies are encrypted and require permission to read.

Option B: Manual cookie entry

1. Log into app.trainingpeaks.com

2. Open DevTools (F12) -> Application tab -> Cookies

3. Find Production_tpAuth and copy its value

4. Run tp-mcp auth and paste when prompted

Other auth commands:

tp-mcp auth-status  # Check if authenticated
tp-mcp auth-clear   # Remove stored cookie

Step 3: Add to Claude Desktop

Run this to get your config snippet:

tp-mcp config

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows) and paste it inside mcpServers. Example with multiple servers:

{
  "mcpServers": {
    "some-other-server": {
      "command": "npx",
      "args": ["some-other-mcp"]
    },
    "trainingpeaks": {
      "command": "/Users/you/trainingpeaks-mcp/.venv/bin/tp-mcp",
      "args": ["serve"]
    }
  }
}

Restart Claude Desktop. You're ready to go!

Structured Workouts

Create workouts with full interval structure. The server auto-computes duration, IF, and TSS from the structure:

{
  "date": "2026-03-01",
  "sport": "Bike",
  "title": "Sweet Spot Intervals",
  "structure": {
    "primaryIntensityMetric": "percentOfFtp",
    "steps": [
      {"name": "Warm Up", "duration_seconds": 600, "intensity_min": 40, "intensity_max": 55, "intensityClass": "warmUp"},
      {"type": "repetition", "reps": 4, "steps": [
        {"name": "Sweet Spot", "duration_seconds": 480, "intensity_min": 88, "intensity_max": 93, "intensityClass": "active"},
        {"name": "Recovery", "duration_seconds": 120, "intensity_min": 50, "intensity_max": 60, "intensityClass": "rest"}
      ]},
      {"name": "Cool Down", "duration_seconds": 600, "intensity_min": 40, "intensity_max": 55, "intensityClass": "coolDown"}
    ]
  }
}

The LLM builds this JSON naturally from conversation - just say "build me 4x8min sweet spot with 2min rest".

What is MCP?

Model Context Protocol is an open standard for connecting AI assistants to external data sources. MCP servers expose tools that AI models can call to fetch real-time data, enabling assistants like Claude to access your Training Peaks account through natural language.

Security

TL;DR: Your cookie is encrypted on disk, exchanged for short-lived OAuth tokens, never shown to Claude, and only ever sent to TrainingPeaks. The server has no network ports.

This server is designed with defence-in-depth. Your TrainingPeaks session cookie is sensitive - it grants access to your training data - so we treat it accordingly.

Write access: v2.0 adds full calendar management (create, update, delete workouts, events, notes, equipment, settings). All mutations go through Pydantic validation. The server cannot access billing or payment info.

Cookie Storage

Your cookie is never stored in plaintext. The encrypted file fallback uses AES-256-GCM authenticated encryption with a PBKDF2-derived key (600,000 iterations) and a machine-specific salt.

Cookie Never Leaks to AI

The AI assistant (Claude) never sees your cookie value. Multiple layers ensure this:

1. Return value sanitisation: Tool results are scrubbed for any keys containing cookie, token, auth, credential, password, or secret before being sent to Claude

2. Masked repr(): The BrowserCookieResult and CredentialResult classes override __repr__ to show cookie=<present> instead of the actual value

3. Sanitised exceptions: Error messages use only exception type names, never full messages that could contain data

4. No logging: Cookie values are never written to any log

Domain Hardcoding (Cannot Be Changed)

The browser cookie extraction only accesses .trainingpeaks.com:

# From src/tp_mcp/auth/browser.py - HARDCODED, not a parameter
cj = func(domain_name=".trainingpeaks.com")

Claude cannot modify this via tool parameters. The only parameter is browser (chrome/firefox/etc), not the domain. To change the domain would require modifying the source code.

No Network Exposure

The MCP server uses stdio transport only - it communicates with Claude Desktop via stdin/stdout, not over the network. There is no HTTP server, no open ports, no remote access.

Open Source

This server is fully open source. You can audit every line of code before running it. Key security files:

• src/tp_mcp/auth/browser.py - Cookie extraction with hardcoded domain

• src/tp_mcp/auth/encrypted.py - AES-256-GCM credential encryption

• src/tp_mcp/tools/_validation.py - Pydantic input validation

• src/tp_mcp/tools/refresh_auth.py - Result sanitisation

• tests/test_tools/test_refresh_auth_security.py - Security tests

Authentication Flow

The server uses a two-step authentication process:

1. Cookie to OAuth Token: Your stored cookie is exchanged for a short-lived OAuth access token (expires in 1 hour)

2. Automatic Refresh: Tokens are cached in memory and automatically refreshed before expiry

This means:

• You only need to authenticate once with tp-mcp auth

• API calls use proper Bearer token auth, not cookies

• If your session cookie expires (typically after several weeks), use tp_refresh_auth in Claude or run tp-mcp auth again

Development

pip install -e ".[dev]"
pytest tests/ -v
mypy src/
ruff check src/

Licence

MIT