# Research Findings for Garmin Login Improvements

## Phase 0: Outline & Research

### Client Authentication for Sync Operations

- **Decision**: The API client will not send an `Authorization` header for subsequent sync operations (e.g., `/api/sync/garmin/activities`).
- **Rationale**: The feature specification (`spec.md`) explicitly states that "the api caller should not need a cookie - all state should be global for the Garmin Sync service" and that the service operates as a single-user system, implicitly using the stored Garmin credentials after a successful `/api/garmin/login`. This clarifies the discrepancy with the `sync_garmin_activities.json` contract, which showed an `Authorization: Bearer <token>` header.
- **Alternatives considered**:
    - Client sending an `APP_BEARER_TOKEN` (rejected as it contradicts the stateless client requirement).
    - Client sending a session cookie (rejected as it contradicts the stateless client requirement).