Related

TLS fingerprinting blocks third-party clients

mitchl

I'm a software developer and over the years I've made a few scripts and tools to collect, parse, analyze, and otherwise interact with my data on Garmin Connect. Most recently, I was interested in using an MCP server to give LLMs access to my data. There are already a few options available, but most of them have been broken by a recent server-side change. Apparently, Garmin is now using Cloudflare TLS fingerprinting, which breaks most/all non-browser clients. That means we can no longer (easily) interact with the Connect REST APIs.

This is really disappointing to me as a customer. The data I record on my devices and store on Garmin Connect are my data, and I expect to be able to access it via reasonable means for whatever purpose I want to use it for. Garmin customers, including myself, made a lot of noise in support of Garmin when Strava recently brought a frivolous lawsuit over patents and data usage. But whether or not it was intentional, this change makes me feel like Garmin is now gatekeeping access to my own data in a similar manner.

I do understand that there are costs associated with running the platform, and there need to be controls in place to prevent malicious misuse or excessive requests from badly-behaved clients. But if that's the primary concern, it's time for Garmin Connect to provide a real, documented public API with OAuth support and the ability for any developer to create a new client for personal use.

  • 0

    Also of interest, I use Railway for my app. After finally creating a valid token that works locally, when stored on Railway it's gets blocked. Cloudflare is actively blocking Railway IPs.

  • 0

    I fully support the need for a connection to my data from Garmin - passion projects with real-world uses make me even more confident in using Garmin... this latest change however removes that ability.

  • 0

    Super annoying that Garmin has done this!

  • 0

    Check this, https://github.com/nrvim/garmin-givemydata they are looking for testers.
    They are using a different technique to bypass Cloudflare.

    If it works, try to use the same technique in your own projects.

    P.S: Dont buy Garmin anymore, lessons learned. Wahoo and other competitors have open API where you can get your data.

    Shame on you Garmin!

  • 0 in reply to rodtrent

    Follow-up:

    We are currently revising our application form for access to the Garmin Developer Program.
    During this period, no new requests can be submitted.
     
    We understand that this may be inconvenient and appreciate your patience.
    The Developer Program Partner Service team will process your access request
    immediately once it has been submitted via the updated form, which will be available in the coming days

  • 0 in reply to trux

     , I just checked my Garmin Index Scale and it does not seem to have any port whatsoever. It connects to your WiFi and uploads the measurements to the Garmin Cloud.

  • 0 in reply to rodtrent

    Way to miss the point entirely of the thread like a good corporate bot. The Garmin Developer Program never allowed personal open source scripts, even if Garmin deploy a new form, this will not change. Garmin is due for good lawsuit/new law for locking OUR data.

  • 0

    To the Garmin team, you are breaking the EU DATA ACT LAW.

    "Under the EU Data Act, users of connected devices can access, use and port the data they co-generate, and data holders must make that data available for free through a simple process. Garmin should therefore give users full access to their watch and health data on a daily basis, in a structured, machine-readable way, instead of deciding if and when to release complete data. A user-facing API would be an obvious and sensible way to comply, even if the law is framed around effective data access rather than one mandatory technical format"

    Link: https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained

    To the users, please complain here and open a case: 

    EU users should not wait for Garmin to decide when to release their data. The easiest official route is to file a complaint with your own national Data Protection Authority using the EDPB country list, and also contact your national ECC-Net office for cross-border consumer help. Do not send it to the EDPB itself, because the EDPB does not handle complaints.

    https://www.edpb.europa.eu/about-edpb/about-edpb/members_en


    Model for the complain:

    Dear Sir or Madam,

    I am submitting a complaint regarding Garmin’s handling of data generated by my Garmin watch and Garmin Connect account.

    The company concerned is Garmin Würzburg GmbH, which Garmin identifies as the controller for personal data of users in the EEA, UK, and Switzerland. Garmin states that this entity is located at Beethovenstraße 1a, 97080 Würzburg, Germany, and that its EU data protection contact email is [email protected].

    I requested access to my full watch and health data in a structured, machine-readable format, including effective ongoing access to the data I generate on a daily basis and the ability to transfer that data to a third party of my choice. Garmin has [not provided the data / provided incomplete data / delayed access / refused ongoing access / refused transfer to a third party].

    In my view, Garmin is not giving me effective access to the data I generate through the connected device and related service. Instead, Garmin appears to decide unilaterally when, how, and in what completeness my data is released, which prevents meaningful access, portability, and reuse.

    I ask your authority to review whether Garmin complies with applicable EU data access, portability, and health-data obligations, and to require Garmin to provide full access without undue delay in a structured, machine-readable format. A user-facing API would be an obvious and practical solution, even if another equally effective technical solution could also be used.

    Company details:
    Garmin Würzburg GmbH
    Beethovenstraße 1a
    97080 Würzburg
    Germany
    EU privacy contact listed by Garmin: [email protected]

    User details:
    Name:
    Address:
    Country:
    Email:
    Garmin account email:
    Device model:
    Garmin product model:
    Dates of my request(s) to Garmin:
    Summary of Garmin’s reply or non-response:
    Evidence attached: screenshots, exports, support emails, and account pages

    Kind regards,
    [Name]

  • 0

    I was just moderated saying Garmin is not following the EU Data Act.

    Garmin you are breaking the EU Data Act:

    https://www.eu-data-act.com/Data_Act_Article_3.html


    Under the EU Data Act, users of connected devices can access, use and port the data they co-generate, and data holders must make that data available for free through a simple process. Garmin should therefore give users full access to their watch and health data on a daily basis, in a structured, machine-readable way, instead of deciding if and when to release complete data. A user-facing API would be an obvious and sensible way to comply, even if the law is framed around effective data access rather than one mandatory technical format.

  • 0 in reply to rodtrent

    Application form? Are you saying that Garmin customers should apply to programmatically get their data ?!?

    You know what, I'll dump my Garmin device for one that provides better service!