Strava Planner MCP
Provides tools to retrieve and analyze Strava training data for coaching, planning, and analysis.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Strava Planner MCPshow me my last 5 activities and their summaries"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Strava Planner MCP
A personal, read-only MCP server that exposes Strava training data to Claude. It supports:
Local stdio for MCP clients that can spawn a process.
Authenticated Streamable HTTP at
/mcpfor Claude Web and other remote MCP clients.Docker deployment behind an HTTPS-terminating Nginx reverse proxy.
The server retrieves and reshapes data. Claude performs coaching, planning, and analysis.
Architecture
Claude Web
-> HTTPS Streamable HTTP + OAuth 2.1
-> Nginx
-> 127.0.0.1:8000
-> Docker: TypeScript MCP server
-> Strava REST APIThe remote transport is stateless Streamable HTTP. This keeps a single-instance personal deployment simple and avoids sticky-session requirements. Stdio remains available through npm start.
Related MCP server: claude-garmin
Requirements
Node.js 20 or newer for local development.
A Strava API application.
Docker and Docker Compose for deployment.
A DNS name and trusted HTTPS certificate for Claude Web.
Claude Pro, Max, Team, or Enterprise with custom connectors enabled.
Install And Test
npm ci
npm run typecheck
npm test
npm run buildStrava Configuration
Create an application at https://www.strava.com/settings/api. Local browser authorization uses these scopes:
readactivity:read_allprofile:read_all
Copy the environment example:
cp .env.example .envGenerate independent secrets:
openssl rand -base64 32
openssl rand -hex 16
openssl rand -base64 48
openssl rand -base64 48Use them for STRAVA_TOKEN_ENCRYPTION_KEY, MCP_OAUTH_CLIENT_ID, MCP_OAUTH_CLIENT_SECRET, and MCP_OAUTH_TOKEN_SIGNING_KEY respectively.
There are two ways to seed Strava authorization:
Set
STRAVA_REFRESH_TOKENfrom the Strava API application page. On first API use, the server exchanges it and writes the current token set to the encrypted token file.Run
npm run authon a machine with a browser, then preserve the generated encrypted token file and the same encryption key.
The encrypted token file takes precedence over STRAVA_REFRESH_TOKEN. When Strava rotates the refresh token, the new token is encrypted and persisted. In Docker it lives in the strava-mcp-data volume.
Token Persistence, Backup, And Recovery
The encrypted token file is written atomically (temp file, fsync, then rename) with 0600 permissions, so an interrupted write can never truncate the only good copy. Concurrent refreshes within the process are serialized.
Because Strava rotates refresh tokens, this file is the source of truth once seeded. If it becomes corrupt or is decrypted with the wrong key, the server fails loudly with a clear operational error and does not overwrite it — so recoverable state is never silently destroyed.
Back up the encrypted token file together with the exact
STRAVA_TOKEN_ENCRYPTION_KEY(the file is useless without the key). In Docker, back up thestrava-mcp-datavolume.Recover by restoring the file and key, or by re-seeding: set a fresh
STRAVA_REFRESH_TOKEN(or runnpm run auth) and delete the unreadable file so the seed path can run.Losing both the file and a valid seed refresh token means re-authorizing Strava from scratch.
Environment Variables
Required for all modes (STRAVA_REFRESH_TOKEN may be omitted when a valid encrypted token file already exists):
Variable | Purpose |
| Strava application client ID. |
| Strava application client secret. |
| Encrypts the persisted Strava token file. |
| Seeds Docker/remote authorization if no encrypted token file exists. One of these two sources is required. |
Required for authenticated remote mode:
Variable | Purpose |
| Exact public endpoint, e.g. |
| Fixed OAuth client ID entered in Claude. |
| Fixed OAuth client secret entered in Claude. |
| Signs MCP access and refresh tokens. |
Important optional variables:
Variable | Default |
|
|
|
|
|
|
|
|
| Public hostname plus localhost names. |
|
|
|
|
|
|
| Unset outside Docker; |
|
|
|
|
|
|
|
|
| Unset. Optional |
Production-critical secrets (STRAVA_CLIENT_SECRET, STRAVA_TOKEN_ENCRYPTION_KEY, MCP_OAUTH_CLIENT_SECRET, MCP_OAUTH_TOKEN_SIGNING_KEY) are validated at startup: the server refuses to boot if they still contain the .env.example placeholder text, and the signing/encryption/OAuth secrets must be at least 16 characters.
See .env.example for the complete list, grouped by local-dev / Docker / production.
Local Linux Development
For a quick authless loopback test, set this only in a development .env:
MCP_AUTH_ENABLED=false
MCP_HOST=127.0.0.1
MCP_ALLOWED_HOSTS=localhost,127.0.0.1Authless mode refuses to start on a non-loopback host (MCP_HOST other than 127.0.0.1/::1/localhost) so it cannot accidentally expose unauthenticated tools to the LAN. Override deliberately with MCP_ALLOW_INSECURE_BINDING=true only if you know what you are doing.
Start Streamable HTTP:
npm run dev:httpCheck liveness and readiness:
curl http://127.0.0.1:8000/health # cheap liveness, always 200 when running
curl http://127.0.0.1:8000/ready # 200 only when a usable Strava token source existsRun the official MCP Inspector:
npm run inspect:httpSelect Streamable HTTP and use http://127.0.0.1:8000/mcp.
Do not use MCP_AUTH_ENABLED=false on a public interface. To test OAuth locally, use MCP_PUBLIC_URL=http://localhost:8000/mcp and configure all MCP_OAUTH_* values.
For stdio debugging:
npm run dev
# or, after npm run build
npm startPersonal Athlete Context
Optional goals, heart-rate zones, constraints, and preferences live outside source code. Create the local file:
cp config/athlete-context.example.json config/athlete-context.jsonEdit it as needed. getAthleteContext returns it to Claude. The actual file is gitignored and mounted read-only in Docker.
Docker Deployment
The image uses the multi-architecture node:22-bookworm-slim base and works on ARM64/aarch64.
Production deployment on the VM (GHCR image + central proxy) is documented step-by-step in DEPLOY.md. In short: GitHub Actions (.github/workflows/build.yml) builds and pushes ghcr.io/mohith1612/strava-planner-mcp (multi-arch, incl. linux/arm64); the VM runs compose.prod.yaml on the shared proxy network with no published ports, and proxy_nginx reaches it by container name.
For a local Docker smoke test (builds the image locally, publishes on loopback):
docker compose build
docker compose up -d
docker compose ps # "healthy" once /ready passes
curl http://127.0.0.1:8000/health
curl http://127.0.0.1:8000/ready
docker compose logs -f strava-mcp
docker compose down # add -v ONLY to delete the token volumeThe container HEALTHCHECK polls /ready (which verifies a usable token source without calling Strava). The container runs as the non-root node user, drops Linux capabilities, enables no-new-privileges, and handles SIGTERM.
Nginx And HTTPS
On the VM, Nginx is the shared central proxy at /opt/proxy/. Drop nginx/strava-mcp.conf.example in as /opt/proxy/nginx/conf.d/strava.conf (it already targets strava.mohith16.com → strava_mcp:8000) and reload:
docker compose -f /opt/proxy/docker-compose.yml exec nginx nginx -t
docker compose -f /opt/proxy/docker-compose.yml exec nginx nginx -s reloadThe config proxies all paths (including /.well-known/oauth-* and /mcp) to the container over the proxy network using the resolver 127.0.0.11 + set $upstream pattern, disables buffering, and uses long streaming timeouts. The shared *.mohith16.com wildcard cert already covers the subdomain, so no new certificate is required. Do not expose container port 8000 publicly.
After DNS + TLS are live, verify:
curl https://strava.mohith16.com/health
curl https://strava.mohith16.com/ready
curl -i https://strava.mohith16.com/mcp
curl https://strava.mohith16.com/.well-known/oauth-protected-resource/mcp
curl https://strava.mohith16.com/.well-known/oauth-authorization-serverAn unauthenticated /mcp request should return 401 with a WWW-Authenticate resource metadata link.
Connect Claude Web
Open Claude → Settings → Connectors.
Click Add custom connector.
Name it
Strava Planner.Set the remote MCP server URL to
https://strava.mohith16.com/mcp.Open Advanced settings.
Enter the exact
MCP_OAUTH_CLIENT_IDandMCP_OAUTH_CLIENT_SECRETfrom the server.env.Click Add, then Connect.
Enable the desired Strava tools in the Search and tools menu.
The URL entered in Claude must match MCP_PUBLIC_URL exactly, including the /mcp path and with no trailing slash. Access tokens are bound to that exact resource (RFC 8707 audience), so a mismatch is rejected. The redirect URI Claude uses is https://claude.ai/api/mcp/auth_callback, which is the default in MCP_OAUTH_REDIRECT_URIS.
The OAuth flow uses Claude's callback URL, PKCE (S256), a fixed confidential client authenticated with client_secret_post, one-hour signed access tokens, rotating 30-day refresh tokens, and MCP protected-resource + authorization-server metadata discovery. Claude supports this static-client model natively — the OAuth Client ID/Secret fields in Advanced settings exist precisely so a server can skip Dynamic Client Registration.
Tools
Existing tools remain available:
getAthleteProfilegetActivitiesgetActivitygetActivityStreamsgetRecentActivitiesgetActivitiesByType— paginated: acceptsafter,before,page, andlimit(max 200), and returns anextPagehint.getTrainingHistory— paginated: acceptsafter,before,page, andlimit(max 200), returns newest-first with anextPagehint.getAthleteOverview— bounded to a look-back window (sinceDays, default 365) instead of the full history.getHalfMarathonTrainingContext
Additional detailed-analysis tools:
getActivityLapsgetActivityZonesgetRecentRunsgetAthleteContext
Pagination change (backward-compatible defaults): getActivitiesByType and getTrainingHistory previously returned the athlete's entire history in one response. They now return one bounded page and expose nextPage; call again with that value to page through older activities. This keeps responses small and predictable.
Tool results are returned as pretty-printed JSON text content. Structured output schemas were intentionally not adopted to keep Claude Web operation maximally reliable; response size is controlled by the pagination above.
getHalfMarathonTrainingContext window
The training-cycle start date is resolved in this order: trainingStartDate in the athlete context file, then HALF_MARATHON_TRAINING_START_DATE, then a trailing 26-week window. Optional targetRaceDate, targetDistance, and targetTime in the athlete context are surfaced in the report. Weekly buckets use athlete-local time (Strava start_date_local) with Monday week starts, and every calendar week in the range is represented so streak and consistency metrics never bridge an inactive week.
getActivityStreams accepts streamTypes, allowing requests such as:
{
"activityId": 123456789,
"streamTypes": ["time", "distance", "heartrate", "velocity_smooth", "cadence"]
}Supported streams are time, distance, latlng, altitude, velocity_smooth, heartrate, cadence, watts, temp, moving, and grade_smooth. Strava returns only streams available for that activity.
Caching And Rate Limits
Activity responses use a bounded in-memory TTL + LRU cache per process (
STRAVA_CACHE_MAX_ENTRIES, default 500). Expired entries are pruned lazily and on write, and the least-recently-used entry is evicted past the cap, so memory cannot grow unbounded.Historical data is not persisted in a database.
Multi-page fetches are capped (
getAllActivitiesnever exceeds 25 pages) and the history tools page explicitly.Transient failures and
429/5xxresponses use exponential backoff with jitter;Retry-Afteris honored in both integer-seconds and HTTP-date forms.The Strava OAuth token exchange and refresh now also have a request timeout and transient-failure retry; a permanent 4xx is returned immediately.
A single 401 triggers one refresh-and-retry; permanent 4xx responses are returned immediately rather than retried.
Strava token refreshes are serialized (single-flight) to prevent concurrent rotation races.
SQLite was deliberately not added. For a single-user instance, the current cache avoids repeated calls within a session while keeping the ARM64 image and operational model small.
Security Status
Production protections implemented:
OAuth-compatible Claude Web authentication with PKCE (S256) and refresh-token rotation.
MCP access and refresh tokens signed with HS256; access tokens are audience-bound to the exact MCP URL.
Encrypted Strava tokens at rest with AES-256-GCM, written atomically with
0600permissions.Startup validation rejects placeholder/short production secrets.
Authless mode fails closed on any non-loopback bind unless explicitly overridden.
Read-only MCP tools with bounded, paginated responses.
HTTPS enforced at Nginx with HSTS,
X-Frame-Options,X-Content-Type-Options, and modern TLS ciphers.Host-header allowlist and DNS-rebinding protection from the MCP SDK.
OAuth endpoint rate limiting supplied by the MCP SDK.
No secrets or Strava payloads in normal logs.
Non-root container, dropped capabilities,
no-new-privileges, and localhost-only published application port.
Single-user limitations:
Dynamic Client Registration is intentionally disabled; enter the fixed client credentials in Claude.
A valid fixed client authorization request is approved immediately; there is no separate human consent page. Security therefore depends on keeping the OAuth client secret private and serving only over HTTPS.
Token revocations are remembered in memory. A restart clears the revocation set, although signed tokens still expire normally. Rotate
MCP_OAUTH_TOKEN_SIGNING_KEYto invalidate every outstanding MCP token immediately.The in-memory cache is not shared across replicas. Run one container unless you add shared state.
Never publish the endpoint with MCP_AUTH_ENABLED=false. GPS routes and heart-rate data are private and may be returned by tools.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Mohith1612/strava-planner-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server