Skip to main content
Credentials are the automation layer for Agent Auth. Store login information securely, and Kernel handles authentication automatically—no user interaction needed. Three ways to provide credentials:
  • Save during login — Capture credentials when a user logs in via Hosted UI or Programmatic
  • Pre-store in Kernel — Create credentials before any login for fully headless automation
  • Connect 1Password — Use credentials from your existing 1Password vaults

1Password Integration

Connect your 1Password vaults to automatically use existing credentials with Agent Auth. Credentials are matched by domain—no manual setup per site.

Save credentials during login

Add save_credential_as to any invocation. The credentials entered during login are securely stored: 
const invocation = await kernel.agents.auth.invocations.create({
  auth_agent_id: agent.id,
  save_credential_as: 'my-login',
});
Once saved, the profile stays authenticated automatically. When the session expires, Kernel re-authenticates using the stored credentials—no user interaction needed.

Pre-store credentials

For fully automated flows where no user is involved, create credentials upfront: 
const credential = await kernel.credentials.create({
  name: 'my-netflix-login',
  domain: 'netflix.com',
  values: {
    email: 'user@netflix.com',
    password: 'secretpassword123',
  },
});
Then link the credential to an auth agent: 
const agent = await kernel.agents.auth.create({
  domain: 'netflix.com',
  profile_name: 'my-profile',
  credential_name: credential.name,
});

// Start invocation - logs in automatically using stored credentials
const invocation = await kernel.agents.auth.invocations.create({
  auth_agent_id: agent.id,
});

2FA with TOTP

For sites with authenticator app 2FA, include totp_secret to fully automate login: 
const credential = await kernel.credentials.create({
  name: 'my-login',
  domain: 'github.com',
  values: {
    username: 'my-username',
    password: 'my-password',
  },
  totp_secret: 'JBSWY3DPEHPK3PXP',  // From authenticator app setup
});

SSO / OAuth

For sites with “Sign in with Google/GitHub/Microsoft”, set sso_provider and include the OAuth provider in allowed_domains: 
const credential = await kernel.credentials.create({
  name: 'my-google-login',
  domain: 'accounts.google.com',
  sso_provider: 'google',
  values: {
    email: 'user@gmail.com',
    password: 'password',
  },
});

const agent = await kernel.agents.auth.create({
  domain: 'target-site.com',
  profile_name: 'my-profile',
  credential_name: credential.name,
  allowed_domains: ['accounts.google.com', 'google.com'],
});
The workflow automatically clicks the matching SSO button and completes OAuth.

Partial Credentials

Credentials don’t need to contain every field. Store what you have, and the flow pauses for missing values. Example: Credential has email + TOTP secret, but no password: 
const credential = await kernel.credentials.create({
  name: 'my-login',
  domain: 'example.com',
  values: { email: 'user@example.com' },  // No password
  totp_secret: 'JBSWY3DPEHPK3PXP',
});

const agent = await kernel.agents.auth.create({
  domain: 'example.com',
  profile_name: 'my-profile',
  credential_name: credential.name,
});

const invocation = await kernel.agents.auth.invocations.create({
  auth_agent_id: agent.id,
});

// Poll until password is needed
let state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
while (state.status === 'IN_PROGRESS') {
  if (state.step === 'awaiting_input' && state.pending_fields?.length) {
    // Only password field will be pending (email auto-filled from credential)
    await kernel.agents.auth.invocations.submit(
      invocation.invocation_id,
      { field_values: { password: 'user-provided-password' } }
    );
  }
  await new Promise(r => setTimeout(r, 2000));
  state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
}
// TOTP auto-submitted from credential → SUCCESS
This is useful when you want to:
  • Store TOTP secrets but have users enter their password each time
  • Pre-fill username/email but collect password at runtime
  • Merge user-provided values into an existing credential using save_credential_as

Security

FeatureDescription
Encrypted at restValues encrypted using per-organization keys
Write-onlyValues cannot be retrieved via API after creation
Never loggedValues are never written to logs
Never sharedValues are never passed to LLMs
Isolated executionAuthentication runs in isolated browser environments

Notes

  • The values object is flexible—store whatever fields the login form needs (email, username, company_id, etc.)
  • Deleting a credential unlinks it from associated auth agents; they’ll no longer auto-authenticate
  • One credential per account—create separate credentials for different user accounts