From 616e319fa3417667a182b0e4c58656a3d073d09d Mon Sep 17 00:00:00 2001 From: Catherine Jue Date: Mon, 9 Feb 2026 22:56:48 -0800 Subject: [PATCH 1/2] Managed Auth Profile tweaks --- info/pricing.mdx | 12 +++---- profiles/credentials.mdx | 26 ++++++++-------- profiles/managed-auth/faq.mdx | 43 ++++++++++++-------------- profiles/managed-auth/hosted-ui.mdx | 18 +++++------ profiles/managed-auth/overview.mdx | 25 +++++++-------- profiles/managed-auth/programmatic.mdx | 2 +- profiles/overview.mdx | 4 +++ 7 files changed, 64 insertions(+), 66 deletions(-) diff --git a/info/pricing.mdx b/info/pricing.mdx index 418201f..34b28f1 100644 --- a/info/pricing.mdx +++ b/info/pricing.mdx @@ -42,6 +42,12 @@ With Browser Pools, you pay the standard usage-based price per GB-second while b > Note: Disk space charges are waived for Enterprise plan customers. +## Managed Auth + +Managed Auth is included on all paid plans with no per-connection fees. Under the hood, it uses browser sessions to log in and keep your sessions fresh—these count toward your browser usage and concurrency like any other browser session. + +Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage. + ## Concurrency limits | Feature | Developer (free + usage) | Hobbyist ($30 / mo + usage) | Start-Up ($200 / mo + usage) | Enterprise | @@ -54,12 +60,6 @@ With Browser Pools, you pay the standard usage-based price per GB-second while b > Note: Limits are org-wide by default unless stated otherwise. `Managed auth profiles` refer to the number of active auth connections that Kernel maintains using your stored [Credentials](/profiles/credentials) or [1Password connection](/integrations/1password). -## Managed Auth billing - -Managed Auth is included on all paid plans with no per-connection fees. Under the hood, it uses browser sessions to log in and keep your sessions fresh—these count toward your browser usage and concurrency like any other browser session. - -Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage. - ## Pricing calculator import { PricingCalculator } from '/snippets/calculator.jsx'; diff --git a/profiles/credentials.mdx b/profiles/credentials.mdx index 13a15e3..491342d 100644 --- a/profiles/credentials.mdx +++ b/profiles/credentials.mdx @@ -3,15 +3,15 @@ title: "Credentials" description: "Automate authentication with stored credentials" --- -Credentials are the automation layer for Managed Auth. Store login information securely, and Kernel handles authentication automatically—no user interaction needed. +Credentials allow you to store login information securely and enable Kernel's automated re-authentication without requiring user interaction. -**Three ways to provide credentials:** -- **Save during login** — Capture credentials when a user logs in via [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic) +**There are three ways to provide credentials:** +- **Automatically save during login** — Capture credentials directly from the user when they log in via [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic) - **Pre-store in Kernel** — Create credentials before any login for fully headless automation - **Connect 1Password** — Use credentials from your existing 1Password vaults - Connect your 1Password vaults to automatically use existing credentials with Managed Auth. Credentials are matched by domain—no manual setup per site. + Connect your 1Password vaults to automatically use existing credentials with Managed Auth. Credentials are automatically matched by domain. ## Save credentials during login @@ -33,7 +33,7 @@ login = await kernel.auth.connections.login( ``` -Once saved, the profile stays authenticated automatically. When the session expires, Kernel re-authenticates using the stored credentials—no user interaction needed. +Once saved, the profile stays authenticated automatically. When the session expires, Kernel re-authenticates using the stored credentials. ## Pre-store credentials @@ -121,7 +121,9 @@ credential = await kernel.credentials.create( ### SSO / OAuth -For sites with "Sign in with Google/GitHub/Microsoft", set `sso_provider` and include the OAuth provider in `allowed_domains`: +For sites with "Sign in with Google/GitHub/Microsoft", set `sso_provider` and include the OAuth provider's domains in `allowed_domains`. + +The workflow automatically clicks the matching SSO button and completes OAuth: ```typescript TypeScript @@ -163,13 +165,11 @@ auth = await kernel.auth.connections.create( ``` -The workflow automatically clicks the matching SSO button and completes OAuth. - ## Partial Credentials -Credentials don't need to contain every field. Store what you have, and the flow pauses for missing values. +Credentials don't need to contain every field required by the login form. You can store what you have and collect the necessary fields from the user. `auth.connections.login()` pauses for missing values. -**Example:** Credential has email + TOTP secret, but no password: +As an example, the below credential has email + TOTP secret stored (and automatically handled), but no password. The password is dynamically collected from the user using Kernel's Hosted UI or your Programmatic flow: ```typescript TypeScript @@ -251,6 +251,6 @@ This is useful when you want to: ## Notes -- The `values` object is flexible—store whatever fields the login form needs (`email`, `username`, `company_id`, etc.) -- Deleting a credential unlinks it from associated connections; they'll no longer auto-authenticate -- One credential per account—create separate credentials for different user accounts +- The `values` object is flexible and can be used to store whatever fields the login form needs (`email`, `username`, `company_id`, etc.) +- Deleting a credential unlinks it from associated connections so they can no longer auto-authenticate +- Use one credential per account. We recommend creating separate credentials for different user accounts diff --git a/profiles/managed-auth/faq.mdx b/profiles/managed-auth/faq.mdx index a00879e..c8fb0aa 100644 --- a/profiles/managed-auth/faq.mdx +++ b/profiles/managed-auth/faq.mdx @@ -1,26 +1,30 @@ --- title: FAQ -description: Frequently asked questions about Managed Auth --- -## How does re-authentication work? +## How does automatic re-authentication work? -When you link credentials to a connection, Kernel monitors the session and re-authenticates automatically when it expires. Periodic health checks (default: every hour) detect logged-out sessions and trigger re-auth in the background, so the profile stays logged in without any action on your part. +When you link credentials to a connection, Kernel monitors the login session and re-authenticates automatically when it expires. Periodic health checks detect logged-out sessions and trigger re-auth in the background, so the profile stays logged in without additional action on your part. -Automatic re-authentication only works when credentials are complete and don't require human input. If login needs SMS/email OTP, push notifications, or manual MFA selection, you'll need to trigger a new login session manually. +Automatic re-authentication only works when the stored credentials are complete and don't require human input. If login needs SMS/email OTP, push notifications, or manual MFA selection, you'll need to trigger a new login session manually. -## How do I know if a connection can auto-reauth? -Check the `can_reauth` field on a connection. This boolean tells you whether Kernel can automatically re-authenticate the connection when the session expires. +## How often are health checks performed? -`can_reauth` is `true` when **all** of the following are met: +Health checks are performed every hour. -1. **Credential linked** — A credential is attached to the connection (stored in Kernel or via an external provider like [1Password](/integrations/1password)) -2. **Login URL set** — The connection has a `login_url` (set automatically after the first successful login, or provided manually) -3. **Login flow learned** — At least one successful login has completed so Kernel has learned the login flow for the site -4. **No external action required** — The learned login flow doesn't require human intervention (see below) +## How do I know if a Kernel can automatically re-authenticate a connection? + +Check the `can_reauth` field on a connection. This boolean checks the following conditions: + +1. **Credential linked** — A credential must be attached to the connection (stored in Kernel or via an external provider like [1Password](/integrations/1password)) +2. **Login URL set** — The connection must have a `login_url` (set automatically after the first successful login, or provided manually) +3. **Login flow learned** — At least one successful login has been completed so Kernel has learned the login flow for the site +4. **No external action required** — The learned login flow doesn't require human intervention + +Only if all of the above conditions are met will `can_reauth` be `true`. When true, Kernel will attempt to automatically re-authenticate the connection. ### External actions that prevent auto-reauth @@ -28,18 +32,9 @@ After a successful login, Kernel saves the login flow. If the flow includes step If your login flow requires one of these, you can still automate around it: - **Switch to TOTP** — If the site supports authenticator apps, add a `totp_secret` to your credential. TOTP codes are generated automatically, so the login flow won't require external action. -- **Trigger manual re-auth** — Start a new login session when `status` is `NEEDS_AUTH` and route the user through the [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic) flow. - -## How do I know if a connection needs authentication? - -Check the connection's `status` field: - -- `AUTHENTICATED` — Profile is logged in and ready to use -- `NEEDS_AUTH` — Profile needs authentication (auto-reauth failed or isn't possible) - -If `status` is `NEEDS_AUTH`, start a new login session. This happens when auto-reauth fails (e.g., password changed), when credentials require human input, or when `can_reauth` is `false`. +- **Trigger manual re-auth** — Start a new login session and route the user through the [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic) flow. -## What authentication methods are supported? +## Which authentication methods are supported? Managed Auth supports username/password authentication and most SSO providers. @@ -53,11 +48,11 @@ If a login attempt fails, Kernel will retry with exponential backoff. After mult - Invalid credentials - Bot detection blocking the login page -- Captcha that couldn't be solved +- CAPTCHAs that couldn't be solved ## Can I use Managed Auth with any website? -Managed Auth works with any website. Sites with aggressive bot detection may require additional configuration (stealth mode, proxies). Passkeys and hardware security keys are not currently supported. +Managed Auth works with most websites. Sites with aggressive bot detection may require additional configuration (stealth mode, proxies). Passkeys and hardware security keys are not currently supported. ## How is Managed Auth billed? diff --git a/profiles/managed-auth/hosted-ui.mdx b/profiles/managed-auth/hosted-ui.mdx index df71542..f32b573 100644 --- a/profiles/managed-auth/hosted-ui.mdx +++ b/profiles/managed-auth/hosted-ui.mdx @@ -3,7 +3,7 @@ title: "Hosted UI" description: "The simplest way to create authenticated browser sessions" --- -Collect credentials via Kernel's hosted page, then use the authenticated session in your automations. This is the recommended approach for most applications. +Collect credentials securely via Kernel's hosted page, then use the authenticated session in your automations. This is the recommended approach for most applications. Use the Hosted UI when: - You need users to provide their credentials @@ -97,12 +97,12 @@ if state.status == "AUTHENTICATED": -Poll every 2 seconds. The session expires after 5 minutes if not completed. +Poll no more than every 2 seconds. The session expires after 5 minutes if not completed. ### 5. Use the Profile -Create browsers with the profile and navigate to the site—the session is already authenticated: +Create browsers with the profile and navigate to the site. The browser session will already be authenticated: ```typescript TypeScript @@ -127,7 +127,7 @@ await page.goto("https://linkedin.com") -Use `stealth: true` when creating browsers for authenticated sessions. +Managed Auth Connections are generated using Kernel's [stealth](/browsers/bot-detection/stealth) mode. Use `stealth: true` when creating authenticated browser sessions for the best experience. @@ -227,7 +227,7 @@ login = await kernel.auth.connections.login( ``` -After successful login, future login sessions for this connection will automatically use the saved credentials—no user interaction needed. See [Credentials](/profiles/credentials) for more on automated authentication. +After successful login, future login sessions for this connection will automatically use the saved credentials without requiring user interaction. See [Credentials](/profiles/credentials) for more on automated authentication. ### Custom Login URL @@ -253,7 +253,9 @@ auth = await kernel.auth.connections.create( ### SSO/OAuth Support -For sites with "Sign in with Google/GitHub/Microsoft", add the OAuth provider's domains to `allowed_domains`: +Sites with "Sign in with Google/GitHub/Microsoft" are supported. The user completes the OAuth flow with the provider, and the authenticated session is automatically saved to the Kernel profile. + +Make sure to add all of the OAuth provider's domains to `allowed_domains`: ```typescript TypeScript @@ -273,11 +275,9 @@ auth = await kernel.auth.connections.create( ``` -The user can click the SSO button on the hosted page, complete OAuth with the provider, and the authenticated session is saved to the profile. - ### Post-Login URL -After successful authentication, retrieve the connection to get `post_login_url`—the page where the login landed. Use this to start your automation from the right place: +After successful authentication, `post_login_url` will be set to the page where the login landed. Use this start your automation from the right place: ```typescript TypeScript diff --git a/profiles/managed-auth/overview.mdx b/profiles/managed-auth/overview.mdx index ca9b18f..cdaab83 100644 --- a/profiles/managed-auth/overview.mdx +++ b/profiles/managed-auth/overview.mdx @@ -7,13 +7,13 @@ description: "Create authenticated browser sessions for your automations" Managed Auth is currently in public beta. Features are subject to change. -Managed Auth creates and maintains authenticated browser profiles for your automations. Store credentials once, and Kernel monitors auth state and re-authenticates automatically when needed. When you launch a browser with the profile, you're already logged in and ready to go. +Managed Auth creates and maintains authenticated browser profiles for your AI agents and web automations. Store credentials once, and Kernel re-authenticates automatically when needed. When you launch a browser with the managed profile, you're already logged in and ready to go. ## How It Works - A **Managed Auth Connection** links a profile to a domain. Create one for each domain + profile combination you want to keep authenticated. + A **Managed Auth Connection** links a profile to a website domain. Create one for each domain + profile combination you want to keep authenticated. ```typescript TypeScript @@ -32,7 +32,9 @@ auth = await kernel.auth.connections.create( - A **Managed Auth Session** is the login flow. Start one to authenticate—users provide credentials via the hosted page (or your own UI). + A **Managed Auth Session** is the corresponding login flow for the specified connection. Users provide credentials via a Kernel-hosted page or your own UI. + + Specify a [Credential](/profiles/credentials) to enable re-authentication without user input. ```typescript TypeScript @@ -74,9 +76,10 @@ if state.status == "AUTHENTICATED": print("Authenticated!") ``` + - Create browsers with the profile and navigate to the site—the session is already authenticated. + Once the auth connection completes, create browsers with the profile and navigate to the site. The browser session will already be authenticated. ```typescript TypeScript @@ -100,7 +103,6 @@ await page.goto("https://netflix.com") ``` - For fully automated flows, link [Credentials](/profiles/credentials) to enable re-authentication without user input. @@ -119,20 +121,17 @@ await page.goto("https://netflix.com") - -Layer in [Credentials](/profiles/credentials) to enable fully automated re-authentication when sessions expire—no user interaction needed. - ## Why Managed Auth? The most valuable workflows live behind logins. Managed Auth provides: -- **Works on any website** - Login pages discovered and handled automatically -- **SSO/OAuth support** - "Sign in with Google/GitHub/Microsoft" buttons work out of the box via `allowed_domains` -- **2FA/OTP handling** - TOTP codes automated, SMS/email/push OTP supported +- **Works on any website** - Login pages are discovered and handled automatically +- **SSO/OAuth support** - "Sign in with Google/GitHub/Microsoft" buttons work out-of-the-box via `allowed_domains` +- **2FA/OTP handling** - TOTP codes automated, SMS/email/push OTP are supported - **Post-login URL** - Get the URL where login landed (`post_login_url`) so you can start automations from the right page -- **Session monitoring** - Automatic re-authentication when sessions expire (with stored credentials) -- **Secure by default** - Credentials encrypted at rest, never exposed in API responses or passed to LLMs +- **Session monitoring** - Automatic re-authentication when sessions expire with stored credentials +- **Secure by default** - Credentials encrypted at rest, never exposed in API responses, or passed to LLMs ## Security diff --git a/profiles/managed-auth/programmatic.mdx b/profiles/managed-auth/programmatic.mdx index b2c98ba..b513ac6 100644 --- a/profiles/managed-auth/programmatic.mdx +++ b/profiles/managed-auth/programmatic.mdx @@ -305,7 +305,7 @@ if state.mfa_options: ``` -After selecting an MFA method, the flow continues—poll for `discovered_fields` to submit the code, or handle external actions for push/security key. +After selecting an MFA method, the flow continues. Poll for `discovered_fields` to submit the code, or handle external actions for push/security key. ### External Actions (Push, Security Key) diff --git a/profiles/overview.mdx b/profiles/overview.mdx index 0fff88d..44e9998 100644 --- a/profiles/overview.mdx +++ b/profiles/overview.mdx @@ -5,6 +5,10 @@ description: "Persist and reuse browser session state (cookies, local storage) a Profiles let you capture browser state created during a session (cookies and local storage) and reuse it in later sessions. This is useful for persisting login state or other site preferences across browser sessions. + + If you're looking to maintain authenticated browser sessions, check out [Managed Auth](/profiles/managed-auth/overview). + + ## 1. Create a profile The first step in using profiles is to create one, optionally giving it a meaningful `name` that is unique within your organization. From e60339dae9e0eaef7a2b0ca9bd420cf22aac93ad Mon Sep 17 00:00:00 2001 From: Catherine Jue Date: Tue, 10 Feb 2026 09:59:45 -0800 Subject: [PATCH 2/2] Address comments --- profiles/managed-auth/faq.mdx | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/profiles/managed-auth/faq.mdx b/profiles/managed-auth/faq.mdx index c8fb0aa..777034b 100644 --- a/profiles/managed-auth/faq.mdx +++ b/profiles/managed-auth/faq.mdx @@ -13,16 +13,17 @@ Automatic re-authentication only works when the stored credentials are complete ## How often are health checks performed? -Health checks are performed every hour. +Health checks on regular cadences based on your plan: +- Hobbyist (1 hr) +- Start-Up (15 min) +- Enterprise (configurable) ## How do I know if a Kernel can automatically re-authenticate a connection? Check the `can_reauth` field on a connection. This boolean checks the following conditions: 1. **Credential linked** — A credential must be attached to the connection (stored in Kernel or via an external provider like [1Password](/integrations/1password)) -2. **Login URL set** — The connection must have a `login_url` (set automatically after the first successful login, or provided manually) -3. **Login flow learned** — At least one successful login has been completed so Kernel has learned the login flow for the site -4. **No external action required** — The learned login flow doesn't require human intervention +2. **No external action required** — The learned login flow doesn't require human intervention Only if all of the above conditions are met will `can_reauth` be `true`. When true, Kernel will attempt to automatically re-authenticate the connection. @@ -58,4 +59,4 @@ Managed Auth works with most websites. Sites with aggressive bot detection may r Managed Auth is included on all paid plans with no per-connection fees. It uses browser sessions to log in and keep your sessions fresh—these count toward your browser usage like any other browser session. -Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage. See [Pricing & Limits](/info/pricing#managed-auth-billing) for details. +Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage. See [Pricing & Limits](/info/pricing#managed-auth) for details.