It’s a different example but Super Street Fighter II for the SNES was CAD$99.99 in the 1994 Sears Wishbook which is CAD$191 in today dollars.

My mistake then, it’s more vulnerable then I initially thought. I also don’t think it’s secure even if that weren’t true, just that it’s not worse than single factor passwords (which you also shouldn’t use of security is a concern).

If the fact that a 128-bit value when sent to your server can retrieve a single piece of media or user info then I have real bad news about what you can do with a typically much shorter password.

Is it ideal that you can retrieve streams or user info from Jellyfin if you know the ID of the entity you’re looking for? No, obviously not. But you need to authenticate to get those IDs in the first place, and there are fewer bits of entropy in most people’s passwords than there are in UUIDs.

Being able to get streams unauthenticated by guessing the correct UUID is arguably still better security than using passwords without 2FA.