How It Works
Create a Connection
A Managed Auth Connection creates a browser profile for a domain you want to keep authenticated so you can automatically be logged in when you launch future browsers. Create one for each domain + user combination you want to keep authenticated.
Start a Login Session
A Managed Auth Session is the corresponding login flow for the specified connection. Users provide credentials via a Kernel-hosted page or your own UI.Specify a Credential to enable re-authentication without user input.
Use the Profile
Once the auth connection completes, the connection is saved to the browser profile you created in step 1. Create browsers with the profile and navigate to the site. The browser session will already be authenticated.
Choose Your Integration
Hosted UI
Start here - Simplest integrationRedirect users to Kernel’s hosted page. Add features incrementally: save credentials for auto-reauth, custom login URLs, SSO support.
Programmatic
Full control - Custom UI or headlessBuild your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).
Why Managed Auth?
The most valuable workflows live behind logins. Managed Auth provides:- Works on any website - Login pages are discovered and handled automatically, with advanced bot detection avoidance for sites with aggressive anti-automation
- SSO/OAuth support - “Sign in with Google/GitHub/Microsoft” buttons work out-of-the-box via
allowed_domains, including SSO provider selection and organization/account pickers - 2FA/OTP handling - TOTP codes automated, SMS/email/push OTP are supported, with automatic MFA option selection
- Post-login URL - Get the URL where login landed (
post_login_url) so you can start automations from the right page - Session monitoring - Automatic re-authentication when sessions expire with stored credentials
- Update connections - Change
login_url,credential,allowed_domains,health_check_interval, and more on existing connections without recreating them - Secure by default - Credentials encrypted at rest, never exposed in API responses, or passed to LLMs
Error Codes
When a login flow fails, theerror_code field indicates the reason:
| Error Code | Description |
|---|---|
invalid_credentials | The provided credentials were rejected by the site |
bot_detected | The site’s bot detection blocked the login attempt |
captcha_unsolved | A CAPTCHA appeared that couldn’t be solved |
network_error | Network connectivity issues during login |
unsupported_auth_method | Login requires an unsupported auth method (passkey, security key) |
awaiting_input_timeout | Timed out waiting for user input |
external_action_timeout | Timed out waiting for an external action (email/SMS verification, push notification) |
max_steps_exceeded | Login flow exceeded the maximum step limit |
Security
| Feature | Description |
|---|---|
| Encrypted credentials | Values encrypted with per-organization keys |
| No credential exposure | Never returned in API responses or passed to LLMs |
| Encrypted profiles | Browser session state encrypted end-to-end |
| Isolated execution | Each login runs in an isolated browser environment |