Garth is deprecated and no longer maintained. Garmin changed their auth flow, breaking the mobile auth approach that Garth depends on. See the announcement for details. Anyone is welcome to fork Garth as a starting point for a new library.

Changes

• Added DeprecationWarning on import garth
• Disabled telemetry by default
• Updated PyPI classifier to Development Status :: 7 - Inactive
• Updated README and documentation with deprecation notices

For existing users

If you already have a saved session with a valid OAuth1 token, Garth may continue to work until that token expires (~1 year from when it was issued). New logins will not work.

Thank you to everyone who used and contributed to Garth. 🙏

What's Changed

• Use browser headers on login POST and MFA verify by @tobias-goertz in #216

Full Changelog: 0.7.10...0.7.11

What's Changed

• Use dynamic MFA method from login response by @tobias-goertz in #215

New Contributors

• @tobias-goertz made their first contribution in #215

Full Changelog: 0.7.9...0.7.10

Bug Fix

• Switch all SSO constants from iOS to Android to match the consumer key from S3. The mismatch between iOS client identity and Android consumer key was the root cause of "Client app validation failed" 401 errors on preauthorized.

  • Client ID: GCM_IOS_DARK → GCM_ANDROID_DARK
  • Service URL: gcm/ios → gcm/android
  • Audience: GARMIN_CONNECT_MOBILE_IOS_DI → GARMIN_CONNECT_MOBILE_ANDROID_DI

Full Changelog: 0.7.8...0.7.9

Bug Fix

• Revert browser headers on login POST and MFA verify — these are mobile API endpoints that expect GCM-iOS-* user agent, not browser UA. The 0.7.7 change caused 401 on login for all users.

Browser headers remain on page requests (sign-in, embed) only.

Full Changelog: 0.7.7...0.7.8

Bug Fix

• Use consistent browser-like headers on all SSO endpoints (sign-in, login, MFA verify, embed). Cloudflare was blocking the login POST with 401 because it used a different User-Agent than the sign-in page that obtained the cf_clearance cookie.

Full Changelog: 0.7.6...0.7.7

Bug Fix

• Invalidate OAuth1 token when exchange fails (429/403/any HTTP error) to prevent retry loops — subsequent API calls now fail fast instead of hammering the exchange endpoint on every request

Full Changelog: 0.7.5...0.7.6

Bug Fix

• Restore Android user agent (com.garmin.android.apps.connectmobile) for OAuth1-signed requests (preauthorized, exchange). In 0.7.0, this was accidentally changed to the iOS user agent, but the consumer key from S3 is from the Android app — Garmin validates that these match, causing "Client app validation failed" 401 errors.

This was the root cause of the intermittent 401s reported in #198.

Full Changelog: 0.7.4...0.7.5

Bug Fix

• Send browser-like headers (User-Agent, Sec-Fetch-*, Accept) on SSO web page requests to avoid Cloudflare bot challenges that returned 403
• Make /portal/sso/embed step best-effort — if Cloudflare still challenges, login proceeds without the LB cookie rather than failing

Full Changelog: 0.7.3...0.7.4

Bug Fix

• Fix intermittent 401 "Client app validation failed" on login by adding the missing /portal/sso/embed step and copying cookies (including the Cloudflare LB cookie) from the parent session to the OAuth1 session (#209)
• Fix CI: disable telemetry before importing garth in tests to prevent logfire background requests from interfering with VCR cassette matching

Thanks to @NiklasCa and @semicolon-spec for reporting and testing.

Full Changelog: 0.7.2...0.7.3