Skip to main content

Authentication Matrix

This reference provides a complete mapping of which commands require which authentication tokens, including fallback behavior and special cases.

Command Overview

CommandPreferred AuthFallbackNotes
search (base)KAGI_API_TOKENKAGI_SESSION_TOKEN on auth rejectionSmart fallback behavior
search --lensKAGI_SESSION_TOKENNoneLens requires session token
auth statusNoneNoneReads config only
auth checkPrimary credentialNoneTests selected token
auth setNoneNoneSaves credentials
summarizeKAGI_API_TOKENNonePaid public API
summarize --subscriberKAGI_SESSION_TOKENNoneSubscriber web product
newsNoneNonePublic endpoint
assistantKAGI_SESSION_TOKENNoneSubscriber feature
fastgptKAGI_API_TOKENNonePaid public API
enrich webKAGI_API_TOKENNonePaid public API
enrich newsKAGI_API_TOKENNonePaid public API
smallwebNoneNonePublic feed

Detailed Breakdown

Search Commands

Key insight: Base search is the only command with fallback behavior. This maximizes utility while maintaining predictable auth for other commands.

Lens Search (kagi search --lens <INDEX>)

No fallback: Lens search requires session token exclusively.

Authentication Commands

kagi auth status

  • Purpose: Display current configuration
  • Network: No
  • Reads: Environment variables, config file
  • Output: Shows which tokens are configured and their sources

kagi auth check

  • Purpose: Validate credentials work
  • Network: Yes (test search)
  • Uses: Primary credential (API if available, else session)
  • No fallback: Tests primary credential only

kagi auth set

  • Purpose: Save credentials to file
  • Network: No
  • Writes: ./.kagi.toml
  • Creates: Config file if doesn’t exist

Content Commands

Summarization

ModeTokenNotes
Public API (default)KAGI_API_TOKENUses Universal Summarizer API
Subscriber (--subscriber)KAGI_SESSION_TOKENUses web product summarizer
Important: These are mutually exclusive. You cannot use --subscriber with API-only options like --engine.

AI Commands

CommandTokenPurpose
assistantKAGI_SESSION_TOKENConversational AI with threads
fastgptKAGI_API_TOKENQuick factual answers

Data Commands

Enrichment

Both enrich web and enrich news require KAGI_API_TOKEN:
  • Teclis (web) - Enhanced web search
  • TinyGem (news) - Enhanced news search

Feed Commands

Public Feeds (No Auth Required)

CommandEndpointUpdate Frequency
newsKagi NewsContinuous
smallwebSmall WebPeriodic

Token Requirements by Feature

Session Token Features

Requires KAGI_SESSION_TOKEN:
  • ✅ Lens-aware search (--lens)
  • ✅ Kagi Assistant (assistant)
  • ✅ Subscriber Summarizer (summarize --subscriber)
  • ✅ Base search (fallback)

API Token Features

Requires KAGI_API_TOKEN:
  • ✅ FastGPT (fastgpt)
  • ✅ Public Summarizer (summarize)
  • ✅ Web Enrichment (enrich web)
  • ✅ News Enrichment (enrich news)
  • ✅ Base search (preferred path)

No Token Required

Works without authentication:
  • ✅ Kagi News (news)
  • ✅ Small Web (smallweb)
  • ✅ Auth status (auth status)

Configuration Precedence

Resolution Order

1. Environment Variables (KAGI_API_TOKEN, KAGI_SESSION_TOKEN)
   ↓ (if not set)
2. Configuration File (`./.kagi.toml`)
   ↓ (if not set)
3. Missing (error for commands requiring auth)

Example Scenarios

Scenario 1: Both tokens in file 
# ./.kagi.toml
[auth]
api_token = "api123"
session_token = "session456"
  • search: Uses API token (preferred)
  • assistant: Uses session token
  • news: No token needed
Scenario 2: Mixed sources 
export KAGI_API_TOKEN="api789"
# ./.kagi.toml has session_token only
  • search: Uses env API token (takes precedence)
  • summarize --subscriber: Uses file session token
  • fastgpt: Uses env API token
Scenario 3: Environment overrides file 
export KAGI_SESSION_TOKEN="special_session"
# ./.kagi.toml has different session_token
  • search: Uses env session token (not API, so tries web)
  • assistant: Uses env session token

Common Configurations

Session Token Only

Setup: 
kagi auth set --session-token 'https://kagi.com/search?token=...'
Working commands:
  • kagi search "query" (uses session path)
  • kagi search --lens 2 "query"
  • kagi assistant "prompt"
  • kagi summarize --subscriber --url ...
  • kagi news
  • kagi smallweb
Non-working:
  • kagi fastgpt - requires API token
  • kagi summarize --url ... (without —subscriber) - requires API token
  • kagi enrich web - requires API token

API Token Only

Setup: 
kagi auth set --api-token 'your_api_token'
Working commands:
  • kagi search "query" (uses API path)
  • kagi summarize --url ...
  • kagi fastgpt "query"
  • kagi enrich web "query"
  • kagi news
  • kagi smallweb
Non-working:
  • kagi search --lens 2 - requires session token
  • kagi assistant - requires session token
  • kagi summarize --subscriber - requires session token

Both Tokens

Setup: 
kagi auth set --session-token '...' --api-token '...'
All commands work:
  • ✅ Everything listed above
Smart behavior:
  • search: Uses API (preferred), falls back to session if needed
  • summarize without --subscriber: Uses API
  • summarize --subscriber: Uses session
  • assistant: Uses session
  • fastgpt: Uses API

Troubleshooting Matrix

SymptomCheckSolution
”missing credentials”kagi auth statusSet appropriate token
”requires KAGI_SESSION_TOKEN”Token typeUse --subscriber or set session token
”requires KAGI_API_TOKEN”Token typeRemove --subscriber or set API token
”auth check failed”Token validityRegenerate token in Kagi settings
search --lens failsSession tokenVerify session token configured
fastgpt failsAPI token + creditCheck API credit balance

Security Considerations

Token Storage

  • Environment variables: Process-wide, may leak to subprocesses
  • Config file: Stored on disk, should be 600 permissions
  • Shell history: May contain export commands
Recommendation: Use config file for persistence, environment variables for overrides.

Scope of Access

  • Session Token: Full subscriber access (search, assistant, summarizer)
  • API Token: API-only access (fastgpt, enrich, public summarizer)
Principle: Use least-privilege tokens for specific workflows.

Migration Scenarios

Adding API to existing Session setup

# Already have session token
kagi auth set --api-token 'new_api_token'

# Now fastgpt works
kagi fastgpt "question"

Adding Session to existing API setup

# Already have API token
kagi auth set --session-token 'https://kagi.com/search?token=...'

# Now assistant works
kagi assistant "prompt"

Reference Tables

Quick Reference

Want to…Token NeededCommand
Search generallyEitherkagi search
Use my lensSessionkagi search --lens
Quick answersAPIkagi fastgpt
AI conversationSessionkagi assistant
Summarize (free API)APIkagi summarize --url
Summarize (subscription)Sessionkagi summarize --subscriber
Read newsNonekagi news
Explore small webNonekagi smallweb

Error to Action Mapping

ErrorMeaningAction
requires KAGI_API_TOKENNeed API accessSet API token or check command flags
requires KAGI_SESSION_TOKENNeed subscriber accessSet session token
missing credentialsNo token configuredSet appropriate token
auth check failedToken invalidRegenerate token