Davide Scaini
6c431e8821
Key at data_dir.parent/.garmin_key — nginx serves location /data/ { alias /var/bincio/data/; } so
anything inside that dir is reachable. The key lives one level up at /var/bincio/.garmin_key,
outside nginx's reach.
Two-layer storage — garmin_creds.json holds the encrypted email+password (needed for re-login when
tokens expire); garmin_session/ holds the garth OAuth tokens in plain JSON (short-lived, not the
user's actual password).
test_login() — called by the connect endpoint before saving anything, so credentials are only
persisted if they actually work.
get_client() — tries the session first (fast, no network), falls back to full re-login
transparently. The caller never needs to think about whether the session is fresh.
76 lines
2.7 KiB
Markdown
76 lines
2.7 KiB
Markdown
# Garmin Connect Sync — Disclaimer
|
|
|
|
**This feature uses an unofficial, community-maintained library to access Garmin Connect.
|
|
It is not affiliated with, endorsed by, or supported by Garmin Ltd. or its subsidiaries.**
|
|
|
|
---
|
|
|
|
## What this feature does
|
|
|
|
When you enable Garmin Connect sync, BincioActivity will:
|
|
|
|
1. Ask for your Garmin Connect **email address and password**
|
|
2. Store those credentials on the server, encrypted at rest
|
|
3. Use them to log in to Garmin Connect on your behalf and download your activity files (FIT format)
|
|
4. Import those activities into your BincioActivity account
|
|
|
|
---
|
|
|
|
## What you need to know before enabling this
|
|
|
|
### Your credentials are stored on the server
|
|
|
|
Unlike Strava (which uses OAuth — you authorize without sharing your password),
|
|
Garmin Connect has no official third-party API. This feature works by logging in
|
|
as you, using your actual email and password.
|
|
|
|
This means:
|
|
|
|
- The server operator has technical access to your stored credentials
|
|
- You are trusting both the software and the person running the server
|
|
- Only enable this on a server you control or run by someone you fully trust
|
|
|
|
### This uses an unofficial API
|
|
|
|
Garmin does not provide a public developer API for activity data.
|
|
This feature relies on a reverse-engineered interface that:
|
|
|
|
- May break without notice when Garmin changes their systems
|
|
- Is not covered by any Garmin service agreement or SLA
|
|
- May violate Garmin Connect's Terms of Service
|
|
|
|
BincioActivity takes no responsibility for account restrictions or bans
|
|
that may result from using this feature.
|
|
|
|
### Two-factor authentication (2FA)
|
|
|
|
If your Garmin account has 2FA enabled, this feature may not work or may
|
|
require additional steps. Garmin has changed their authentication flow
|
|
several times; compatibility depends on the current state of the underlying library.
|
|
|
|
### Rate limits
|
|
|
|
Garmin does not publish API rate limits. Syncing too frequently or importing
|
|
large volumes of activities may result in temporary or permanent IP blocks.
|
|
BincioActivity applies conservative limits, but cannot guarantee uninterrupted access.
|
|
|
|
---
|
|
|
|
## How to revoke access
|
|
|
|
BincioActivity does not hold an OAuth token that can be revoked from Garmin's settings.
|
|
To stop BincioActivity from accessing your Garmin account:
|
|
|
|
1. Delete your stored credentials from BincioActivity (Settings → Garmin Connect → Disconnect)
|
|
2. **Change your Garmin Connect password** — this is the only way to guarantee that
|
|
no previously stored credentials can be used
|
|
|
|
---
|
|
|
|
## Recommendation
|
|
|
|
If you have concerns about credential storage, consider the alternative:
|
|
export your activities from Garmin Connect or Garmin Express as FIT files
|
|
and upload them directly to BincioActivity. This requires no credentials
|
|
and is always available.
|