Skip to main content
Agent Auth is currently in public beta. Features are subject to change.
Agent Auth creates and maintains authenticated browser profiles for your automations. Store credentials once, and Kernel monitors auth state and re-authenticates automatically when needed. When you launch a browser with the profile, you’re already logged in and ready to go.

How It Works

1

Create an Auth Agent

An Auth Agent represents a login session for a specific website and profile. Create one for each domain + profile combination.
const agent = await kernel.agents.auth.create({
  domain: 'netflix.com',
  profile_name: 'netflix-user-123',
});
2

Start Authentication

Start the login flow. Users provide credentials via the hosted page (or your own UI).
const invocation = await kernel.agents.auth.invocations.create({
  auth_agent_id: agent.id,
});

// Send user to login page
console.log('Login URL:', invocation.hosted_url);

// Poll until complete
let state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
while (state.status === 'IN_PROGRESS') {
  await new Promise(r => setTimeout(r, 2000));
  state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
}

if (state.status === 'SUCCESS') {
  console.log('Authenticated!');
}
3

Use the Profile

Create browsers with the profile and navigate to the site—the session is already authenticated.
const browser = await kernel.browsers.create({
  profile: { name: 'netflix-user-123' },
  stealth: true,
});

// Navigate to the site—you're already logged in
await page.goto('https://netflix.com');
For fully automated flows, link Credentials to enable re-authentication without user input.

Choose Your Integration

Hosted UI

Start here - Simplest integrationRedirect users to Kernel’s hosted page. Add features incrementally: save credentials for auto-reauth, custom login URLs, SSO support.

Programmatic

Full control - Custom UI or headlessBuild your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).
Layer in Credentials to enable fully automated re-authentication when sessions expire—no user interaction needed.

Why Agent Auth?

The most valuable workflows live behind logins. Agent Auth provides:
  • Works on any website - Login pages discovered and handled automatically
  • SSO/OAuth support - “Sign in with Google/GitHub/Microsoft” buttons work out of the box via allowed_domains
  • 2FA/OTP handling - TOTP codes automated, SMS/email/push OTP supported
  • Post-login URL - Get the URL where login landed (post_login_url) so you can start automations from the right page
  • Session monitoring - Automatic re-authentication when sessions expire (with stored credentials)
  • Secure by default - Credentials encrypted at rest, never exposed in API responses or passed to LLMs

Security

FeatureDescription
Encrypted credentialsValues encrypted with per-organization keys
No credential exposureNever returned in API responses or passed to LLMs
Encrypted profilesBrowser session state encrypted end-to-end
Isolated executionEach login runs in an isolated browser environment