This appears to be the Garmin API, which supports OAuth1a, has no public documentation, and the limitations are pretty well detailed as well on the company blog of the author:https://blog.smashrun.com/2021/05/21/a-new-garmin-api/.
What an awful experience, I hope I never have to use it.
If this is Garmin, I'm sadly not certain the difficulties are intentional. Their software has always been a major detraction from their really solid hardware. Connect IQ seems to be honestly trying to provide functionality, but ends up being a strange bastardization of Javascript and Java that compiles to Java bytecode. The experience was riddled with the same types of alpha-quality oversights and the target market started moving to Coros watches, but before I dropped the project all the watch crashes and firmware updates made much more sense.
When I saw the OAuth 1a, I cringed and audibly said "Oh no!"
I have to deal with OAuth 1a to make API calls to Jira and other Atlassian products. Hooray for whoever came up with OAuth 2 and did away with the requirement for the client to do cryptographic operations.
Surprisingly enough, OAuth 1a was the easy part for article author. May God have mercy on his soul.
I had the same reaction when I saw OAuth 1a. I wrote some code that called NetSuite's REST API, which also uses that; it was more than a little annoying.
I had a wild guess this would be Garmin too. Between this and the problems evidenced by their ransomware payout, their software engineering could use a serious overhaul.
A shame, because their hardware is generally good.