11

While logging in to Kagi with session link URLs is very useful, it's a bit creepy that I can get to my Stripe credit card info with just knowledge of the Session Link URL. Any chance to add an (opt-in?) settings checkbox for requiring the full username + password authentication before being able to access the user's billing page? Or more generalized, have a session link access scopes for "just be able to use Kagi, without seeing any identifiable user info", ideally. The risk of a session key leak via browser history etc. revealing user info seems a bit disconcerting, be it via user mistake or some third party system not assuming URL history is sensitive. Thanks.

  • Vlad replied to this.
    13 days later

    Rain That is a reasonable request. Note that you can invalidate your session link at any time.

        6 months later

        This would be a great feature. I'd like to be able to use a Session Link to allow Kagi on a slightly untrusted device, like a work machine. I don't need Kagi administrative access on my work machine, just search.

          @z64 does the upcoming 2FA feature include this change (2fa prompt on billing)

          • z64 replied to this.

            Vlad It does not currently. Strictly speaking this is a seperate feature, those without 2FA should be gated by account password as well, and 2FA may be able to substitute in some circumstances if they have it enabled. We can definitely try to ship it together.

              8 months later

              This was implemented.

                No one is typing