Query API key can be used on any query

Hi,

I have a self hosted instance of Redash (8.0.2+b37747), and was looking at the ability to load the latest query results using the URL provided from the query page:

I have found that I can use the api_key from this page for any queries in my account, for example, I can simply change the /1 in the url to /2 and obtain those results. I wanted to confirm my understanding for this API key is that it should only allow access to the individual query, not all?

I’ve just found https://github.com/getredash/redash/issues/1979 which sounds like what I am seeing, however that was closed long ago. Potentially a regression?

Ah, I have just realised that this must be because I had a browser session open at the same time which could access the other query, so I suppose it much have fallen back on that?