diff --git a/src-tauri/src/ipc.rs b/src-tauri/src/ipc.rs
index 4ec8317..ea6a62c 100644
--- a/src-tauri/src/ipc.rs
+++ b/src-tauri/src/ipc.rs
@@ -12,6 +12,7 @@ use crate::state::AppState;
 pub struct Request {
     pub id: u64,
     pub clients: Vec<Option<Client>>,
+    pub base: bool,
 }
 
 
diff --git a/src-tauri/src/server.rs b/src-tauri/src/server.rs
index e9fd750..02fe4e3 100644
--- a/src-tauri/src/server.rs
+++ b/src-tauri/src/server.rs
@@ -58,8 +58,8 @@ impl Handler {
             self.stream.write(b"HTTP/1.0 403 Access Denied\r\n\r\n").await?;
             return Ok(())
         }
-        // at present only the running exe should be permitted to access this route
-        if req_path == b"/creddy/base-credentials" {
+        let base = req_path == b"/creddy/base-credentials";
+        if base {
             if clients.len() != 1 
                 || clients[0].is_none()
                 || clients[0].as_ref().unwrap().exe != std::env::current_exe()?
@@ -69,14 +69,14 @@ impl Handler {
             }
         }
 
-        let req = Request {id: self.request_id, clients};
+        let req = Request {id: self.request_id, clients, base};
         self.app.emit_all("credentials-request", &req)?;
         let starting_visibility = self.show_window()?;
 
         match self.wait_for_response().await? {
             Approval::Approved => {
                 let state = self.app.state::<AppState>();
-                let creds = if req_path == b"/creddy/base-credentials" {
+                let creds = if base {
                     state.serialize_base_creds().await?
                 }
                 else {
diff --git a/src/App.svelte b/src/App.svelte
index 4f0d979..1a96d9f 100644
--- a/src/App.svelte
+++ b/src/App.svelte
@@ -15,6 +15,7 @@ invoke('get_config').then(config => $appState.config = config);
 listen('credentials-request', (tauriEvent) => {
     $appState.pendingRequests.put(tauriEvent.payload);
 });
+window.state = $appState;
 
 acceptRequest();
 </script>
diff --git a/src/views/Approve.svelte b/src/views/Approve.svelte
index 6ad1040..0b2dd99 100644
--- a/src/views/Approve.svelte
+++ b/src/views/Approve.svelte
@@ -80,6 +80,18 @@
             </ErrorAlert>
         {/if}
 
+        {#if $appState.currentRequest.base}
+            <div class="alert alert-warning shadow-lg">
+                <div>
+                    <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg>
+                    <span>
+                        WARNING: This application is requesting your base (long-lived) AWS credentials. 
+                        These crednetials are less secure than session credentials, since they don't expire automatically.
+                    </span>
+                </div>
+            </div>
+        {/if}
+
         <div class="space-y-1 mb-4">
             <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>