Skip to main content

How does automatic re-authentication work?

When you link credentials to a connection, Kernel monitors the login session and re-authenticates automatically when it expires. Periodic health checks detect logged-out sessions and trigger re-auth in the background, so the profile stays logged in without additional action on your part.
Automatic re-authentication only works when the stored credentials are complete and don’t require human input. If login needs SMS/email OTP, push notifications, or manual MFA selection, you’ll need to trigger a new login session manually.

How often are health checks performed?

Health checks on regular cadences based on your plan:
  • Hobbyist (1 hr)
  • Start-Up (15 min)
  • Enterprise (configurable)

How do I know if a Kernel can automatically re-authenticate a connection?

Check the can_reauth field on a connection. This boolean checks the following conditions:
  1. Credential linked — A credential must be attached to the connection (stored in Kernel or via an external provider like 1Password)
  2. Sufficient credentials — The stored credential must contain all fields required by the login flow (e.g., if the login requires both email and password, both must be stored)
  3. No external action required — The learned login flow doesn’t require human intervention
Only if all of the above conditions are met will can_reauth be true. When true, Kernel will attempt to automatically re-authenticate the connection.

External actions that prevent auto-reauth

After a successful login, Kernel saves the login flow. If the flow includes steps that require human action—like SMS/email OTP, push notifications, or manual MFA selection—Kernel marks the connection as unable to auto-reauth because those steps can’t be automated without user input. If your login flow requires one of these, you can still automate around it:
  • Switch to TOTP — If the site supports authenticator apps, add a totp_secret to your credential. TOTP codes are generated automatically, so the login flow won’t require external action.
  • Trigger manual re-auth — Start a new login session and route the user through the Hosted UI or Programmatic flow.

Can I update an existing connection’s settings?

Yes. Use the update endpoint to change login_url, credential, allowed_domains, health_check_interval, save_credentials, or proxy on an existing connection without recreating it. Changes take effect on the next login or health check.

Which authentication methods are supported?

Managed Auth supports username/password authentication, most SSO providers, and TOTP-based 2FA. Kernel automatically handles multi-step login flows including SSO provider selection, organization/account pickers, and CAPTCHA challenges.
Passkey-based authentication (e.g., Google accounts with passkeys enabled) and hardware security keys are not currently supported. If a login requires one of these methods, the flow will fail with the unsupported_auth_method error code.

What happens if login fails?

If a login attempt fails, Kernel will retry with exponential backoff. After multiple failures, the login flow will be marked as failed and you’ll receive an error with an error_code. Common failure reasons include:
  • invalid_credentials — The credentials were rejected by the site
  • bot_detected — Bot detection blocked the login attempt
  • captcha_unsolved — A CAPTCHA appeared that couldn’t be solved
  • network_error — Network connectivity issues during login
  • unsupported_auth_method — Login requires passkeys or hardware security keys
  • awaiting_input_timeout — Timed out waiting for user input
  • external_action_timeout — Timed out waiting for email/SMS verification or push notification
  • max_steps_exceeded — Login flow exceeded the maximum step limit
See the full error codes reference for details.

Can I use Managed Auth with any website?

Managed Auth works with most websites. Sites with aggressive bot detection may require additional configuration (stealth mode, proxies). Passkeys and hardware security keys are not currently supported.

What are sign-in options?

Sign-in options are non-MFA choices that appear during login, such as account pickers (“Which account do you want to use?”) or organization selectors. They’re different from MFA options, which appear after credentials are accepted. When sign_in_options appears in the session state, present the options to the user and submit their choice using sign_in_option_id. See Programmatic Flow for details.

How is Managed Auth billed?

Managed Auth is included on all paid plans with no per-connection fees. It uses browser sessions to log in and keep your sessions fresh—these count toward your browser usage like any other browser session. Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage. See Pricing & Limits for details.