For the web client, we're not actually sending your private key, because it's not safe to persist in the browser (without something like a Chrome extension). We're sharing the auth token via the same end-to-end encryption that we use for direct casts.