goban.co certainly has some usefulness, but it still has some disadvantages compared to my suggestion:
There is no instant redirect to the new board, so when you visit goban.co you need to press “Share” button. Copying URL from address bar would be slightly faster. But this is minor.
If same board is opened by two people they can both play both colors. I suggest that game starter chooses ruleset and who plays what color so it can’t be changed by other player, unless they switch to analyze mode. It can be implemented via cookies or by redirecting the second player to a new secret URL after game is accepted.
Maybe include the ability to add a password?
I think that a secret URL is better than password. It works technically like a password but it’s integrated in the link. Example URL to illustrate my point:
Then if game is not marked private, it means that knowing partial URL like https://online-go.com/game/12345678 would be enough to spectate the game, while full URL is necessary to accept it. After game is accepted, second player can be redirected to other URL, which is unknown even to game starter, which allows whoever knows it place stones for the second player side:
This way game can be continued from other device, unlike in solution with cookies.
which one of them has an account at OGS that allows them to create a game
Perhaps guests should be also allowed to create games of this kind without registration?
Unlike regular games, password-url games won’t be displayed in public list of open game challenges, so it would not give aforementioned trolls and sandbaggers and others any additional freedoms.
Two unregistered users playing with each other won’t put too much strain on the server I think, and otherwise it’s on par with allowing unregistered access to puzzles.
A registered / unregistered games should not affect rank of the registered user, then sandbagging would be prevented.
And registered / registered pairings won’t be any different after game is started, but challenge could be sent via any texting means.
By the way, in order to make retyping challenge URLs easier, passwords can be generated in a way which avoids 1 l I and O 0.