Davide Scaini
6c431e8821
Key at data_dir.parent/.garmin_key — nginx serves location /data/ { alias /var/bincio/data/; } so
anything inside that dir is reachable. The key lives one level up at /var/bincio/.garmin_key,
outside nginx's reach.
Two-layer storage — garmin_creds.json holds the encrypted email+password (needed for re-login when
tokens expire); garmin_session/ holds the garth OAuth tokens in plain JSON (short-lived, not the
user's actual password).
test_login() — called by the connect endpoint before saving anything, so credentials are only
persisted if they actually work.
get_client() — tries the session first (fast, no network), falls back to full re-login
transparently. The caller never needs to think about whether the session is fresh.
2.7 KiB
Garmin Connect Sync — Disclaimer
This feature uses an unofficial, community-maintained library to access Garmin Connect. It is not affiliated with, endorsed by, or supported by Garmin Ltd. or its subsidiaries.
What this feature does
When you enable Garmin Connect sync, BincioActivity will:
- Ask for your Garmin Connect email address and password
- Store those credentials on the server, encrypted at rest
- Use them to log in to Garmin Connect on your behalf and download your activity files (FIT format)
- Import those activities into your BincioActivity account
What you need to know before enabling this
Your credentials are stored on the server
Unlike Strava (which uses OAuth — you authorize without sharing your password), Garmin Connect has no official third-party API. This feature works by logging in as you, using your actual email and password.
This means:
- The server operator has technical access to your stored credentials
- You are trusting both the software and the person running the server
- Only enable this on a server you control or run by someone you fully trust
This uses an unofficial API
Garmin does not provide a public developer API for activity data. This feature relies on a reverse-engineered interface that:
- May break without notice when Garmin changes their systems
- Is not covered by any Garmin service agreement or SLA
- May violate Garmin Connect's Terms of Service
BincioActivity takes no responsibility for account restrictions or bans that may result from using this feature.
Two-factor authentication (2FA)
If your Garmin account has 2FA enabled, this feature may not work or may require additional steps. Garmin has changed their authentication flow several times; compatibility depends on the current state of the underlying library.
Rate limits
Garmin does not publish API rate limits. Syncing too frequently or importing large volumes of activities may result in temporary or permanent IP blocks. BincioActivity applies conservative limits, but cannot guarantee uninterrupted access.
How to revoke access
BincioActivity does not hold an OAuth token that can be revoked from Garmin's settings. To stop BincioActivity from accessing your Garmin account:
- Delete your stored credentials from BincioActivity (Settings → Garmin Connect → Disconnect)
- Change your Garmin Connect password — this is the only way to guarantee that no previously stored credentials can be used
Recommendation
If you have concerns about credential storage, consider the alternative: export your activities from Garmin Connect or Garmin Express as FIT files and upload them directly to BincioActivity. This requires no credentials and is always available.