Skip to main content
Managed Auth creates and maintains authenticated browser sessions for your AI agents. Store credentials once, and Kernel re-authenticates automatically when needed. When you launch Kernel browsers with Managed Auth connections, your agent starts already logged in and ready to go.

How It Works

1

Create a Connection

A Managed Auth Connection attaches an authenticated domain to a browser profile so you can automatically be logged in when you launch future browsers. A single profile can have multiple auth connections — one per domain you want to keep authenticated.
import Kernel from '@onkernel/sdk';

const kernel = new Kernel();

const auth = await kernel.auth.connections.create({
  domain: 'netflix.com',
  profile_name: 'netflix-user-123',
});
2

Start a Login Session

A Managed Auth Session is the corresponding login flow for the specified connection. Users provide credentials via a Kernel-hosted page or your own UI.Specify a Credential to enable re-authentication without user input.
const login = await kernel.auth.connections.login(auth.id);

// Send user to login page
console.log('Login URL:', login.hosted_url);

// Poll until complete
let state = await kernel.auth.connections.retrieve(auth.id);
while (state.flow_status === 'IN_PROGRESS') {
  await new Promise(r => setTimeout(r, 2000));
  state = await kernel.auth.connections.retrieve(auth.id);
}

if (state.status === 'AUTHENTICATED') {
  console.log('Authenticated!');
}
3

Use the Profile

Once the auth connection completes, the authenticated session is saved to the browser profile specified in step 1. You can attach additional auth connections to the same profile for other domains. When you create a browser with the profile, all of its auth connections are available — the browser session will already be logged in to every connected domain.
import { chromium } from 'playwright';

const kernelBrowser = await kernel.browsers.create({
  profile: { name: 'netflix-user-123' },
  stealth: true,
});

const browser = await chromium.connectOverCDP(kernelBrowser.cdp_ws_url);
const context = browser.contexts()[0];
const page = context.pages()[0];

// Navigate to the site—you're already logged in
await page.goto('https://netflix.com');

Choose Your Integration

Hosted UI

Start here - Simplest integrationRedirect users to Kernel’s hosted page. Add features incrementally: save credentials for auto-reauth, custom login URLs, SSO support.

Programmatic

Full control - Custom UI or headlessBuild your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).

Why Managed Auth?

Managed Auth automates login flows — navigating login pages, filling credentials, handling SSO redirects, and completing MFA challenges. It keeps your profiles logged in across sessions. The most valuable workflows live behind logins. Managed Auth provides:
  • Works on any website - Login pages are discovered and handled automatically
  • SSO/OAuth support - “Sign in with Google/GitHub/Microsoft” buttons work out-of-the-box, with common SSO provider domains automatically allowed
  • 2FA/OTP handling - TOTP codes automated with automatic retry on expiry, SMS/email/push OTP are supported
  • Post-login URL - Get the URL where login landed (post_login_url) so you can start automations from the right page
  • Session monitoring - Automatic re-authentication when sessions expire with stored credentials
  • Secure by default - Credentials encrypted at rest, never exposed in API responses, or passed to LLMs

Security

FeatureDescription
Encrypted credentialsValues encrypted with per-organization keys
No credential exposureNever returned in API responses or passed to LLMs
Encrypted profilesBrowser session state encrypted end-to-end
Isolated executionEach login runs in an isolated browser environment