[BUG] 403 Forbidden on /activitylist-service/activities/search after successful Garth authentication

[marekhor-sys]

Despite successful two-factor authentication (2FA) and token storage via garth, API calls made using the garminconnect client are consistently failing with a 403 Client Error: Forbidden. This suggests the tokens or request headers passed to the API endpoints are no longer accepted by the Garmin server.

The issue occurs when attempting to download data after establishing a session.

Steps to Reproduce
Use the standard garth workflow to authenticate and store a token (garth.login() followed by manual MFA input in the terminal).

Initialize the garminconnect client and attempt a data retrieval call (e.g., client.get_activities(0, 10)).

Observed Behavior
The garth authentication phase succeeds, and the token is saved. However, the subsequent API request fails with a 403 Client Error: Forbidden.

Exact Traceback Snippet from API Failure:

Python

requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://connectapi.garmin.com/activitylist-service/activities/search?start=0&limit=10

Note: This error occurs even after the 2FA process is successfully completed.

Technical Environment
The issue appears to be related to incompatibility between the libraries' current versions and Garmin's API requirements.

Python Version: 3.11 / 3.13 (Environment dependent)

garminconnect Version: 0.2.34

garth Version (Dependency): 0.5.19

Conclusion
The server is actively rejecting the request headers/cookies generated by the current combination of garth and garminconnect when accessing the primary activity endpoint (connectapi). This indicates a probable change in required signatures or access rules on the Garmin server side.

[cyberjunky]

I cannot reproduce, removed my tokens, logged in, mfa, and tried all activity options in demo.py, they all still work.

[cyberjunky]

Can you test demo.py? Can you fetch 1 activity?

[marekhor-sys]

I can not connect to garmin.

This is the output of the domo test

$ python -u "c:\temp\Bakalarska_prace\Garmin_desktop\test_konektivity.py"
--- STARTING GARMIN CONNECTIVITY TEST ---
Zahajuji přihlášení. Pokud je vyžadováno 2FA, zadejte kód do terminálu.
MFA code: 982382

✅ Přihlášení úspěšné. Pokouším se volat API...
Login failed
Traceback (most recent call last):
File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garminconnect_init_.py", line 397, in login
if not getattr(self.garth, "profile", None):
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garth\http.py", line 107, in profile
return self.user_profile
^^^^^^^^^^^^^^^^^
File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garth\http.py", line 97, in user_profile
self._user_profile = self.connectapi(
~~~~~~~~~~~~~~~^
"/userprofile-service/socialProfile"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garth\http.py", line 189, in connectapi
resp = self.request(method, "connectapi", path, api=True, **kwargs)
File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garth\http.py", line 136, in request
self.refresh_oauth2()
~~~~~~~~~~~~~~~~~~~^^
File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garth\http.py", line 179, in refresh_oauth2
assert self.oauth1_token and isinstance(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
self.oauth1_token, OAuth1Token
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
), "OAuth1 token is required for OAuth2 refresh"
^
AssertionError: OAuth1 token is required for OAuth2 refresh

❌ NEPŘEDVÍDANÁ CHYBA: Login failed: OAuth1 token is required for OAuth2 refresh

[cyberjunky]

I I see you use your own code, and don't catch MFA login it seems...
Can you test the demo.py program in this repo?
If that works something your account is ok. and we need to investigate what you made...

[marekhor-sys]

Despite successfully completing the MFA/2FA process, the library fails upon attempting to finalize the session and acquire data. The core issue appears to be an internal logic flaw within garth's token refresh mechanism.

The problem is consistently reproducible in the specified environment after correctly entering the MFA code.

Steps to Reproduce
Setup: Use the standard garth login flow in a clean environment.

Action: Enter username/password, and then successfully enter the MFA code into the terminal when prompted.

Failure Point: The process crashes immediately after validating the MFA code, before attempting to download activities.

Evidence (Full Traceback of Internal Failure)
Please ensure you copy the complete traceback from your last session, which shows the crash deep inside the garth/http.py module.

Traceback (most recent call last):
[... lines removed for brevity ...]
  File "C:\Users\marek\AppData\Roaming\Python\Python313\site-packages\garth\http.py", line 179, in refresh_oauth2
    assert self.oauth1_token and isinstance(
    ), "OAuth1 token is required for OAuth2 refresh"
    ^
AssertionError: OAuth1 token is required for OAuth2 refresh
Environment
This issue is likely tied to the interaction between the library version and the latest Python dependencies.

Python Version: Python 3.13 (or 3.11/3.12, whichever is your actual standard interpreter)

Operating System: Windows 10/11 (MINGW64 Shell)

garminconnect Version: 0.2.34

garth Version: 0.5.19

Conclusion
The library's internal logic (refresh_oauth2) is failing to recognize the valid OAuth2 token acquired via MFA and instead forces a check for an outdated OAuth1 token. This makes the library unusable for anyone with an active 2FA account in this environment.

[cyberjunky]

You don't seem to read my comment or don't understand them, which makes it very hard for me to help you. You have not completed the MFA flow. You only entered the code but it seems to fail to work from than moment. Is the above done with your own python code? If so which login/init calls do you use. Did you try to use the provided demo.py code? What are the result from that?

[marekhor-sys]

Hello,

Sorry for the confusion. Thank you for your continued effort to help me.

I understand that the issue is difficult to reproduce, as it seems to be a bug specific to my environment (Windows/Python). Here are some direct answers that should definitively clarify the issue:

1. MFA process completion
   The MFA code was entered and was correct.

The critical error occurs immediately after entering a valid MFA code and attempting to complete the session, not before. The system gets the MFA code, but crashes when trying to use or renew the token.

2. Code and calls used
   The critical output I sent you is from our main application. We use a standard sequence of calls that works on many systems:

Python

1. Authentication: Gartha gets the token and stores it.

garth.login(USERNAME, PASSWORD)

2. Client initialization and Login call:

This is where the crash occurs because the client is trying to retrieve

and renew the session start token.

client = Garmin(USERNAME, PASSWORD)
client.login()
3. Test result with demo.py
DEMO.PY WORKED ON FIRST RUN.

When I ran demo.py, I successfully logged in (including entering the MFA code).

This confirmed that my account and code were fine.

4. Final conclusion about the bug
   The problem is in the Session Management between individual API calls.

When trying to renew the session (when calling client.login() or when calling the API), an internal crash occurs in the garth library.

The error is deep in garth/http.py, line 179, and it forces a deprecated check: AssertionError: OAuth1 token is required for OAuth2 refresh

This error prevents the application from using the acquired token. This is a critical bug in the authentication subsystem that occurs specifically in my environment and prevents any interaction with the API after login.

Thank you for your time and I hope this detailed analysis helps with the diagnosis.