"The answer is sort of yes - browsers aren't magic! All the information browsers send to your backend is just HTTP requests. So if I copy all of the HTTP headers that my browser is sending, I think there's literally no way for the backend to tell that the request isn't sent by my browser and is actually being sent by a random Python program."
There is a way.^1 One might need to copy the static elements of the TLS Client Hello in addition to certain HTTP headers.
One big problem here is that I'm using my Google session cookie for authentication, so this script will stop working whenever my browser session expires.
That means that this approach wouldn't work for a long running program (I'd want to use a real API), but if I just need to quickly grab a little bit of data as a 1-time thing, it can work great!"
Sometimes Google keeps users logged in. For example, session cookies in Gmail will last for months or more. This makes it easy to check Gmail from the command line without a browser. It also means if someone steals a session cookie and the user never logs out, e.g., she closes the browser without logging out first,^2 then the thief can access the account for months, or longer.
2. Of course, it is also possible to logout and disable specific session cookies from the command line, without a browser.
There is a way.^1 One might need to copy the static elements of the TLS Client Hello in addition to certain HTTP headers.
1. https://blog.squarelemon.com/tls-fingerprinting/
See, e.g., https://github.com/refraction-networking/utls
"problem 1: expiring session cookies
One big problem here is that I'm using my Google session cookie for authentication, so this script will stop working whenever my browser session expires.
That means that this approach wouldn't work for a long running program (I'd want to use a real API), but if I just need to quickly grab a little bit of data as a 1-time thing, it can work great!"
Sometimes Google keeps users logged in. For example, session cookies in Gmail will last for months or more. This makes it easy to check Gmail from the command line without a browser. It also means if someone steals a session cookie and the user never logs out, e.g., she closes the browser without logging out first,^2 then the thief can access the account for months, or longer.
2. Of course, it is also possible to logout and disable specific session cookies from the command line, without a browser.