Skip to main content
Agent Auth creates and maintains authenticated browser profiles for your automations. Store credentials once, and Kernel monitors auth state and re-authenticates automatically when needed. When you launch a browser with the profile, you’re already logged in and ready to go.

How It Works

1

Create an Auth Agent

An Auth Agent represents a login session for a specific website and profile. Create one for each domain + profile combination.
const agent = await kernel.agents.auth.create({
  domain: 'netflix.com',
  profile_name: 'netflix-user-123',
});
2

Start Authentication

Start the login flow. Users provide credentials via the hosted page (or your own UI).
const invocation = await kernel.agents.auth.invocations.create({
  auth_agent_id: agent.id,
});

// Send user to login page
console.log('Login URL:', invocation.hosted_url);

// Poll until complete
let state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
while (state.status === 'IN_PROGRESS') {
  await new Promise(r => setTimeout(r, 2000));
  state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
}

if (state.status === 'SUCCESS') {
  console.log('Authenticated!');
}
3

Use the Profile

Create browsers with the profile and navigate to the site—the session is already authenticated.
const browser = await kernel.browsers.create({
  profile: { name: 'netflix-user-123' },
  stealth: true,
});

// Navigate to the site—you're already logged in
await page.goto('https://netflix.com');
For fully automated flows, link Credentials to enable re-authentication without user input.

Choose Your Integration

Hosted UI

Start here - Simplest integrationRedirect users to Kernel’s hosted page. Add features incrementally: save credentials for auto-reauth, custom login URLs, SSO support.

Programmatic

Full control - Custom UI or headlessBuild your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).
Layer in Credentials to enable fully automated re-authentication when sessions expire—no user interaction needed.

Why Agent Auth?

The most valuable workflows live behind logins. Agent Auth provides:
  • Works on any website - Login pages discovered and handled automatically
  • SSO/OAuth support - “Sign in with Google/GitHub/Microsoft” buttons work out of the box via allowed_domains
  • 2FA/OTP handling - TOTP codes automated, SMS/email/push OTP supported
  • Post-login URL - Get the URL where login landed (post_login_url) so you can start automations from the right page
  • Session monitoring - Automatic re-authentication when sessions expire (with stored credentials)
  • Secure by default - Credentials encrypted at rest, never exposed in API responses or passed to LLMs

Security

FeatureDescription
Encrypted credentialsValues encrypted with per-organization keys
No credential exposureNever returned in API responses or passed to LLMs
Encrypted profilesBrowser session state encrypted end-to-end
Isolated executionEach login runs in an isolated browser environment