6/27/2025 • 19 min read
How to Log In to Foxie Fit
fit.foxie.vip is a personal running dashboard that pulls your activity data directly from Strava. Because it uses Strava's official OAuth flow, you authenticate with your own Strava API credentials — keeping full control over your data.
This guide walks you through everything from creating a Strava API app to syncing your first activity.
Prerequisites
- A Strava account with at least one recorded activity.
- A few minutes to create a free Strava API application.
Step 1 — Create a Strava API App
- Visit https://www.strava.com/settings/api (you must be logged in to Strava).
- Fill in the required fields:
Field What to enter Application Name Anything you like, e.g. Foxie FitCategory VisualizerClub Leave empty Website https://fit.foxie.vipAuthorization Callback Domain fit.foxie.vip - Click Create and agree to the API terms.
- You will land on a page that shows your Client ID and Client Secret. Keep this tab open — you will need both values in the next step.
Tip: Your Client Secret is sensitive. Do not share it. It is stored only in your browser session and is never sent to any third-party server.
Step 2 — Connect Strava on the Login Page
Open https://fit.foxie.vip/login and fill in the form.
The login form has three fields:
| Field | Required | Description |
|---|---|---|
| Client ID | ✅ | The numeric ID from your Strava API app. |
| Client Secret | ✅ | The secret string from your Strava API app. |
| Refresh Token | ✖ (optional) | Paste an existing Strava refresh token to skip the OAuth redirect completely. |
Option A — Standard OAuth (recommended for first-time login)
Leave the Refresh Token field empty and click Connect with Strava. You will be redirected to Strava to authorize access, then returned to the dashboard automatically.
Option B — Skip OAuth with a Refresh Token
If you already have a refresh token from a previous session (visible in the browser cookie strava_refresh_token), paste it in the Refresh Token field and click Connect with Strava. The app exchanges it immediately for a fresh access token — no redirect needed.
Step 3 — Authorize on Strava (Option A only)
Strava will ask you to grant read access to your activities. Click Authorize to continue.
You will be automatically redirected back to fit.foxie.vip/login/verify.
Step 4 — Verification
The verify page exchanges the one-time code from Strava for a short-lived access token and a long-lived refresh token. The following cookies are set as HTTP-only:
| Cookie | Lifetime | Purpose |
|---|---|---|
strava_access_token | 6 hours | Used to call Strava APIs |
strava_token_expires_at | 6 hours | Unix timestamp of expiry |
strava_refresh_token | 1 year | Used to obtain new access tokens |
strava_client_id | 1 year | Stored for server-side token refresh |
strava_client_secret | 1 year | Stored for server-side token refresh |
Once verification succeeds, you are redirected to the home dashboard.
Step 5 — Automatic Token Rotation
Access tokens from Strava expire after 6 hours. When you trigger a sync, the server automatically detects if your token is missing or within 5 minutes of expiry and exchanges the stored refresh token for a new pair before making any Strava API calls.
The flow looks like this:
Sync request received
│
▼
strava_access_token present?
AND expires_at > now + 5 min?
│
Yes │ No (expired or near-expiry)
──────┤──────────────
│ │
│ ▼
│ strava_refresh_token present?
│ ├── Yes → exchange → set new cookies
│ └── No → 401 Unauthorized
▼
Proceed with Strava API call
You never need to log in again unless you clear your cookies or revoke access inside the Strava settings.
Step 6 — Sync Your Activities
After logging in, two options appear on the home page:
- View Strava Profile — shows your athlete stats and totals pulled from the database.
- Activities — lists your synced running sessions with distance, pace, heart rate, and elevation.
To import your latest runs click the Strava sync button (the orange Strava icon in the header). The app calls Strava's activities API, writes the results to the shared database, and refreshes the view.
Authentication Flow (Technical Summary)
Browser fit.foxie.vip Strava
│ │ │
│── POST /login ──────────>│ │
│ { clientId, secret } │ │
│ (optional refreshToken)│ │
│ │ │
│ ╔══ With refreshToken ══╗ │
│ ║ POST /auth/refresh-login │
│ ║ → exchange → Set-Cookie ←──────────────────── │
│ ║ redirect "/" │
│ ╚═════════════════════╝ │
│ │ │
│ ╔══ Without refresh ══╗ │
│ ║ GET /auth/url?state=…│ │
│ ║ redirect Strava OAuth ─────────────────────> │
│ ║ ←── callback /login/verify?code │
│ ║ POST /auth/verify │
│ ║ → exchange code → Set-Cookie │
│ ╚═════════════════════╝ │
Logging Out
Go to https://fit.foxie.vip/strava/profile and click the Logout button. This calls /api/strava/auth/logout, which clears all five auth cookies.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| "Missing authorization code" on verify page | You cancelled the Strava authorization dialog | Go back to /login and try again |
| "Missing stored credentials" | The state parameter was tampered with or expired | Refresh /login and submit again |
| Activities list is empty | No sync has been performed yet | Click the Strava sync button in the header |
| Sync returns 401 | Cookies were cleared, or the refresh token is revoked | Log out and log back in |
| "Token refresh failed" on refresh-login | The refresh token you pasted is invalid or revoked | Use Option A (standard OAuth) instead |
If you have questions or run into any issues, feel free to reach out via the contact form on this site.
How to Log In to Foxie Fit
fit.foxie.vip is a personal running dashboard that pulls your activity data directly from Strava. Because it uses Strava's official OAuth flow, you authenticate with your own Strava API credentials — keeping full control over your data.
This guide walks you through everything from creating a Strava API app to syncing your first activity.
Prerequisites
- A Strava account with at least one recorded activity.
- A few minutes to create a free Strava API application.
Step 1 — Create a Strava API App
- Visit https://www.strava.com/settings/api (you must be logged in to Strava).
- Fill in the required fields:
Field What to enter Application Name Anything you like, e.g. Foxie FitCategory VisualizerClub Leave empty Website https://fit.foxie.vipAuthorization Callback Domain fit.foxie.vip - Click Create and agree to the API terms.
- You will land on a page that shows your Client ID and Client Secret. Keep this tab open — you will need both values in the next step.
Tip: Your Client Secret is sensitive. Do not share it. It is stored only in your browser session and is never sent to any third-party server.
Step 2 — Connect Strava on the Login Page
- Open https://fit.foxie.vip/login.
- Enter the Client ID and Client Secret from your Strava API app.
- Click Connect with Strava.
Internally, the app bundles your credentials into a signed, Base64-encoded state parameter and redirects you to Strava's OAuth authorization endpoint.
Step 3 — Authorize on Strava
Strava will ask you to grant read access to your activities. Click Authorize to continue.
You will be automatically redirected back to fit.foxie.vip/login/verify.
Step 4 — Verification
The verify page exchanges the one-time code from Strava for a short-lived access token and a long-lived refresh token. Both are stored as HTTP-only cookies in your browser — they are never exposed to JavaScript.
Once verification succeeds, you are redirected to the home dashboard.
Step 5 — Sync Your Activities
After logging in, two options appear on the home page:
- View Strava Profile — shows your athlete stats and totals pulled from the database.
- Activities — lists your synced running sessions with distance, pace, heart rate, and elevation.
To import your latest runs click the Strava sync button (the orange Strava icon in the header). The app calls Strava's activities API with your access token, writes the results to the shared database, and refreshes the view.
Authentication Flow (Technical Summary)
Browser fit.foxie.vip Strava
| | |
|-- POST /login ---------->| |
| { clientId, secret } | |
| |-- GET /oauth/authorize >|
|<-- redirect Strava ---- | |
| | |
|-- Authorize -------------------------------------->|
|<-- redirect /login/verify?code=... --------------- |
| | |
|-- POST /api/strava/auth/verify |
| { code, state } |-- exchange code ------->|
| |<-- access + refresh --- |
|<-- Set-Cookie tokens --- | |
|-- redirect "/" --------> | |
Token Refresh
Access tokens from Strava expire after 6 hours. When you trigger a sync, the server checks whether your access token is still valid. If it has expired but a refresh token is present in the cookie, it automatically calls Strava's token endpoint to obtain a new pair and re-sets the cookies. You never need to log in again unless you clear your cookies or revoke access in Strava.
Logging Out
Go to https://fit.foxie.vip/strava/profile and click the Logout button. This calls /api/strava/auth/logout, which clears the auth cookies and resets the in-memory session.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| "Missing authorization code" on verify page | You cancelled the Strava authorization dialog | Go back to /login and try again |
| "Missing stored credentials" | The state parameter was tampered with or expired | Refresh /login and submit again |
| Activities list is empty | No sync has been performed yet | Click the Strava sync button in the header |
| Sync returns 401 | Cookies were cleared or the refresh token expired | Log out and log back in |
If you have questions or run into any issues, feel free to reach out via the contact form on this site.