Skip to main content

Authentication Matrix

This reference provides a complete mapping of which commands require which authentication tokens, including fallback behavior and special cases.

Command Overview

CommandPreferred AuthFallbackNotes
search (base)Configured base-search preferenceSession fallback only when API-first mode is enabledDefaults to session unless [auth.preferred_auth] = "api"
search --lensKAGI_SESSION_TOKENNoneLens requires session token
search with filtersKAGI_SESSION_TOKENNoneRegion, time, date, order, verbatim, and personalization filters require session token
authNoneNoneInteractive TTY wizard; writes config and validates the selected credential
auth statusNoneNoneReads config only
auth checkPrimary credentialNoneTests selected token
auth setNoneNoneSaves credentials
summarizeKAGI_API_TOKENNoneLegacy /api/v0 public API
summarize --subscriberKAGI_SESSION_TOKENNoneSubscriber web product
extractKAGI_API_KEYNoneCurrent /api/v1 Extract API
newsNoneNonePublic endpoint
quickKAGI_SESSION_TOKENNoneQuick Answer web product
ask-pageKAGI_SESSION_TOKENNoneSubscriber feature
assistantKAGI_SESSION_TOKENNoneSubscriber feature
assistant customKAGI_SESSION_TOKENNoneCustom assistant settings
lensKAGI_SESSION_TOKENNoneLens settings management
bang customKAGI_SESSION_TOKENNoneCustom bang settings
redirectKAGI_SESSION_TOKENNoneRedirect rule settings
translateKAGI_SESSION_TOKENNoneText mode only; bootstraps translate_session over HTTP
fastgptKAGI_API_TOKENNoneLegacy /api/v0 public API
enrich webKAGI_API_TOKENNoneLegacy /api/v0 public API
enrich newsKAGI_API_TOKENNoneLegacy /api/v0 public API
smallwebNoneNonePublic feed

Detailed Breakdown

Search Commands

Key insight: Base search is the only command with fallback behavior, and that fallback only matters when you explicitly opt into API-first mode.

Lens Search (kagi search --lens <INDEX>)

No fallback: Lens search requires session token exclusively.

Search Filters and Session-Only Options

--region, --from-date, and --to-date map to the current V1 Search API filters object. --lens, --time, --order, --verbatim, and personalization flags remain session-only because they target the subscriber web-product flow exposed by this CLI.

Authentication Commands

kagi auth

  • Purpose: Interactive setup wizard
  • Network: Yes, during credential validation
  • Uses: The credential the user just pasted
  • Writes: ./.kagi.toml
  • TTY only: In non-interactive environments, use auth set, status, or check

kagi auth status

  • Purpose: Display current configuration
  • Network: No
  • Reads: Environment variables, config file
  • Output: Shows which tokens are configured and their sources

kagi auth check

  • Purpose: Validate credentials work
  • Network: Yes (test search)
  • Uses: Primary credential per [auth.preferred_auth] setting (defaults to session token)
  • No fallback: Tests primary credential only

kagi auth set

  • Purpose: Save credentials to file
  • Network: No
  • Writes: ./.kagi.toml
  • Creates: Config file if doesn’t exist

Content Commands

Summarization

ModeTokenNotes
Public API (default)KAGI_API_TOKENUses legacy Universal Summarizer API
Subscriber (--subscriber)KAGI_SESSION_TOKENUses web product summarizer
Important: These are mutually exclusive. You cannot use --subscriber with API-only options like --engine.

AI Commands

CommandTokenPurpose
quickKAGI_SESSION_TOKENQuick answers with references
ask-pageKAGI_SESSION_TOKENAsk Assistant about one page URL
assistantKAGI_SESSION_TOKENConversational AI with threads
assistant customKAGI_SESSION_TOKENCreate and manage saved assistants
translateKAGI_SESSION_TOKENKagi Translate text mode
fastgptKAGI_API_TOKENQuick factual answers through legacy /api/v0
extractKAGI_API_KEYFull-page markdown extraction through current /api/v1

Settings Commands

CommandTokenPurpose
lensKAGI_SESSION_TOKENManage search lenses
bang customKAGI_SESSION_TOKENManage custom bangs
redirectKAGI_SESSION_TOKENManage redirect rules

Data Commands

Enrichment

Both enrich web and enrich news require legacy KAGI_API_TOKEN:
  • Teclis (web) - Enhanced web search
  • TinyGem (news) - Enhanced news search

Feed Commands

Public Feeds (No Auth Required)

CommandEndpointUpdate Frequency
newsKagi NewsContinuous
smallwebSmall WebPeriodic

Token Requirements by Feature

Session Token Features

Requires KAGI_SESSION_TOKEN:
  • ✅ Lens-aware search (--lens)
  • ✅ Quick Answer (quick)
  • ✅ Session-only search options (--lens, --time, --order, --verbatim, personalization flags)
  • ✅ Kagi Assistant prompt and thread commands (assistant)
  • ✅ Custom assistant management (assistant custom)
  • ✅ Ask Page (ask-page)
  • ✅ Lens management (lens)
  • ✅ Custom bang management (bang custom)
  • ✅ Redirect management (redirect)
  • ✅ Kagi Translate (translate)
  • ✅ Subscriber Summarizer (summarize --subscriber)
  • ✅ Base search (fallback)

API Key Features

Requires KAGI_API_KEY:
  • ✅ Current Search API (search when [auth.preferred_auth] = "api")
  • ✅ Extract API (extract)

Legacy API Token Features

Requires KAGI_API_TOKEN:
  • ✅ FastGPT (fastgpt)
  • ✅ Public Summarizer (summarize)
  • ✅ Web Enrichment (enrich web)
  • ✅ News Enrichment (enrich news)

No Token Required

Works without authentication:
  • ✅ Kagi News (news)
  • ✅ Small Web (smallweb)
  • ✅ Auth status (auth status)

Configuration Precedence

Resolution Order

1. Environment Variables (KAGI_API_KEY, KAGI_API_TOKEN, KAGI_SESSION_TOKEN)
   ↓ (if not set)
2. Configuration File (`./.kagi.toml`)
   ↓ (if not set)
3. Missing (error for commands requiring auth)

Example Scenarios

Scenario 1: Multiple credentials in file 
# ./.kagi.toml
[auth]
api_token = "api123"
api_key = "key123"
session_token = "session456"
  • search: Uses the configured base-search preference (session by default)
  • assistant: Uses session token
  • assistant custom: Uses session token
  • lens: Uses session token
  • news: No token needed
Scenario 2: Mixed sources 
export KAGI_API_KEY="key789"
# ./.kagi.toml has session_token only
  • search: Uses env API key when [auth.preferred_auth] = "api"
  • summarize --subscriber: Uses file session token
  • fastgpt: Requires KAGI_API_TOKEN or [auth].api_token
Scenario 3: Environment overrides file 
export KAGI_SESSION_TOKEN="special_session"
# ./.kagi.toml has different session_token
  • search: Uses env session token (not API, so tries web)
  • assistant: Uses env session token
  • redirect: Uses env session token

Common Configurations

Session Token Only

Setup: 
kagi auth set --session-token 'https://kagi.com/search?token=...'
Working commands:
  • kagi search "query" (uses session path)
  • kagi search --lens 2 "query"
  • kagi quick "what is rust"
  • kagi search --region us --time month "query"
  • kagi ask-page https://example.com "question"
  • kagi assistant "prompt"
  • kagi assistant custom list
  • kagi lens list
  • kagi bang custom list
  • kagi redirect list
  • kagi translate "Bonjour tout le monde"
  • kagi summarize --subscriber --url ...
  • kagi news
  • kagi smallweb
Non-working:
  • kagi fastgpt - requires API token
  • kagi summarize --url ... (without —subscriber) - requires API token
  • kagi enrich web - requires API token
  • kagi extract - requires API key

Legacy API Token Only

Setup: 
kagi auth set --api-token 'your_api_token'
Working commands:
  • kagi summarize --url ...
  • kagi fastgpt "query"
  • kagi enrich web "query"
  • kagi news
  • kagi smallweb
Non-working:
  • kagi search "query" with [auth.preferred_auth] = "api" - requires API key or session token
  • kagi search --lens 2 - requires session token
  • kagi quick - requires session token
  • kagi search --region us "query" - requires session token
  • kagi ask-page https://example.com "question" - requires session token
  • kagi quick - requires session token
  • kagi assistant - requires session token
  • kagi assistant custom list - requires session token
  • kagi lens list - requires session token
  • kagi bang custom list - requires session token
  • kagi redirect list - requires session token
  • kagi summarize --subscriber - requires session token
  • kagi extract - requires API key

Session Token, API Key, and Legacy API Token

Setup: 
kagi auth set --session-token '...' --api-key '...' --api-token '...'
All commands work:
  • ✅ Everything listed above
Smart behavior:
  • search: Uses session (default), or API key if [auth.preferred_auth = "api"] is set
  • extract: Uses API key directly
  • summarize without --subscriber: Uses legacy API token
  • summarize --subscriber: Uses session
  • quick: Uses session
  • ask-page: Uses session
  • assistant: Uses session
  • assistant custom: Uses session
  • lens: Uses session
  • bang custom: Uses session
  • redirect: Uses session
  • fastgpt: Uses legacy API token

Troubleshooting Matrix

SymptomCheckSolution
”missing credentials”kagi auth statusSet appropriate token
”requires KAGI_SESSION_TOKEN”Token typeUse --subscriber or set session token
”requires KAGI_API_KEY”Token typeSet API key for current Search API or Extract
”requires KAGI_API_TOKEN”Token typeRemove --subscriber or set legacy API token
”auth check failed”Token validityRegenerate token in Kagi settings
search --lens failsSession tokenVerify session token configured
fastgpt failsLegacy API token + creditCheck API credit balance

Security Considerations

Token Storage

  • Environment variables: Process-wide, may leak to subprocesses
  • Config file: Stored on disk, should be 600 permissions
  • Shell history: May contain export commands
Recommendation: Use config file for persistence, environment variables for overrides.

Scope of Access

  • Session Token: Full subscriber access (search, assistant, summarizer)
  • API Key: Current /api/v1 API-only access (search, extract)
  • Legacy API Token: Older /api/v0 API-only access (fastgpt, enrich, public summarizer)
Principle: Use least-privilege tokens for specific workflows.

Migration Scenarios

Adding API to existing Session setup

# Already have session token
kagi auth set --api-token 'new_api_token'

# Now fastgpt works
kagi fastgpt "question"

Adding Session to existing API setup

# Already have API token
kagi auth set --session-token 'https://kagi.com/search?token=...'

# Now assistant works
kagi assistant "prompt"

Reference Tables

Quick Reference

Want to…Token NeededCommand
Search generallyEitherkagi search
Use my lensSessionkagi search --lens
Manage my lensesSessionkagi lens
Quick answer from the web productSessionkagi quick
Faster factual answer from the APIAPIkagi fastgpt
AI conversationSessionkagi assistant
Manage saved assistantsSessionkagi assistant custom
Manage custom bangsSessionkagi bang custom
Manage redirect rulesSessionkagi redirect
Translate textSessionkagi translate
Summarize (free API)APIkagi summarize --url
Summarize (subscription)Sessionkagi summarize --subscriber
Read newsNonekagi news
Explore small webNonekagi smallweb

Error to Action Mapping

ErrorMeaningAction
requires KAGI_API_TOKENNeed API accessSet API token or check command flags
requires KAGI_SESSION_TOKENNeed subscriber accessSet session token
missing credentialsNo token configuredSet appropriate token
auth check failedToken invalidRegenerate token