While it's relatively trivial to run something like:

  fetch(new Request("https://kagi.com/search?q=test", { method: "GET", headers: new Headers({ "X-Kagi-PrivacyPass-Client": true })})).then((r) => console.log(r.headers.get("www-authenticate")))

A simple response in the body to something like <https://kagi.com/privacypass> would be easier to check.

And you answered someone else:

> It is also something anyone else could do to keep us honest :)

While true I believe for such a feature making it as easy as possible for your users to check independently is just better.