> ## Documentation Index
> Fetch the complete documentation index at: https://tbd-6fc993ce-hypeship-docs-website-deploy-hook.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Maintain authenticated browser sessions for agents

Managed Auth creates and maintains authenticated browser sessions for your AI agents. Store credentials once, and Kernel re-authenticates automatically when needed. When you launch Kernel browsers with Managed Auth connections, your agent starts already logged in and ready to go.

## How It Works

<Steps>
  <Step title="Create a Connection">
    A **Managed Auth Connection** attaches an authenticated domain to a browser [profile](/auth/profiles) so you can automatically be logged in when you launch future browsers. A single profile can have multiple auth connections — one per domain you want to keep authenticated.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      const auth = await kernel.auth.connections.create({
        domain: 'netflix.com',
        profile_name: 'netflix-user-123',
      });
      ```

      ```python Python theme={null}
      auth = await kernel.auth.connections.create(
          domain="netflix.com",
          profile_name="netflix-user-123",
      )
      ```

      ```go Go theme={null}
      auth, err := client.Auth.Connections.New(ctx, kernel.AuthConnectionNewParams{
      	ManagedAuthCreateRequest: kernel.ManagedAuthCreateRequestParam{
      		Domain:      "netflix.com",
      		ProfileName: "netflix-user-123",
      	},
      })
      if err != nil {
      	panic(err)
      }
      _ = auth
      ```
    </CodeGroup>
  </Step>

  <Step title="Start a Login Session">
    A **Managed Auth Session** is the corresponding login flow for the specified connection. Users provide credentials via a Kernel-hosted page or your own UI.

    Specify a [Credential](/auth/credentials) to enable re-authentication without user input.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      const login = await kernel.auth.connections.login(auth.id);

      // Send user to login page
      console.log('Login URL:', login.hosted_url);

      // Poll until complete
      let state = await kernel.auth.connections.retrieve(auth.id);
      while (state.flow_status === 'IN_PROGRESS') {
        await new Promise(r => setTimeout(r, 2000));
        state = await kernel.auth.connections.retrieve(auth.id);
      }

      if (state.status === 'AUTHENTICATED') {
        console.log('Authenticated!');
      }
      ```

      ```python Python theme={null}
      login = await kernel.auth.connections.login(auth.id)

      # Send user to login page
      print(f"Login URL: {login.hosted_url}")

      # Poll until complete
      state = await kernel.auth.connections.retrieve(auth.id)
      while state.flow_status == "IN_PROGRESS":
          await asyncio.sleep(2)
          state = await kernel.auth.connections.retrieve(auth.id)

      if state.status == "AUTHENTICATED":
          print("Authenticated!")
      ```

      ```go Go theme={null}
      login, err := client.Auth.Connections.Login(ctx, auth.ID, kernel.AuthConnectionLoginParams{})
      if err != nil {
      	panic(err)
      }

      // Send user to login page
      fmt.Println("Login URL:", login.HostedURL)

      // Poll until complete
      state, err := client.Auth.Connections.Get(ctx, auth.ID)
      if err != nil {
      	panic(err)
      }
      for state.FlowStatus == kernel.ManagedAuthFlowStatusInProgress {
      	time.Sleep(2 * time.Second)
      	state, err = client.Auth.Connections.Get(ctx, auth.ID)
      	if err != nil {
      		panic(err)
      	}
      }

      if state.Status == kernel.ManagedAuthStatusAuthenticated {
      	fmt.Println("Authenticated!")
      }
      ```
    </CodeGroup>
  </Step>

  <Step title="Use the Profile">
    Once the auth connection completes, the authenticated session is saved to the browser [profile](/auth/profiles) specified in step 1. You can attach additional auth connections to the same profile for other domains. When you create a browser with the profile, all of its auth connections are available — the browser session will already be logged in to every connected domain.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      const browser = await kernel.browsers.create({
        profile: { name: 'netflix-user-123' },
        stealth: true,
      });

      // Navigate to the site—you're already logged in
      await page.goto('https://netflix.com');
      ```

      ```python Python theme={null}
      browser = await kernel.browsers.create(
          profile={"name": "netflix-user-123"},
          stealth=True,
      )

      # Navigate to the site—you're already logged in
      await page.goto("https://netflix.com")
      ```

      ```go Go theme={null}
      browser, err := client.Browsers.New(ctx, kernel.BrowserNewParams{
      	Profile: shared.BrowserProfileParam{
      		Name: kernel.String("netflix-user-123"),
      	},
      	Stealth: kernel.Bool(true),
      })
      if err != nil {
      	panic(err)
      }
      _ = browser

      // Navigate to the site—you're already logged in
      _, err = client.Browsers.Playwright.Execute(ctx, browser.SessionID, kernel.BrowserPlaywrightExecuteParams{
      	Code: `await page.goto("https://netflix.com");`,
      })
      if err != nil {
      	panic(err)
      }
      ```
    </CodeGroup>
  </Step>
</Steps>

The steps above are the integration loop — what you wire up once per connection. After the initial login, the connection enters its runtime loop of periodic health checks and automatic re-authentication; see [Connection Lifecycle](/auth/connection-lifecycle) for how that works and how to tune it.

## Choose Your Integration

<CardGroup cols={3}>
  <Card title="Hosted UI" icon="browser" href="/auth/hosted-ui">
    **Start here** - Simplest integration

    Redirect users to Kernel's hosted page. Add features incrementally: save credentials for auto-reauth, custom login URLs, SSO support.
  </Card>

  <Card title="React Component" icon="react" href="/auth/react">
    **Embed in your app** - Drop-in component

    Mount `<KernelManagedAuth />` on a route in your own app. Same flow as Hosted UI, rendered on your origin and trivial to restyle to match your brand.
  </Card>

  <Card title="Programmatic" icon="code" href="/auth/programmatic">
    **Full control** - Custom UI or headless

    Build your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).
  </Card>
</CardGroup>

## Why Managed Auth?

Managed Auth automates **login flows** — navigating login pages, filling credentials, handling SSO redirects, and completing MFA challenges. It keeps your profiles logged in across sessions.

The most valuable workflows live behind logins. Managed Auth provides:

* **Works on any website** - Login pages are discovered and handled automatically
* **SSO/OAuth support** - "Sign in with Google/GitHub/Microsoft" buttons work out-of-the-box, with common SSO provider domains automatically allowed
* **2FA/OTP handling** - TOTP codes automated with automatic retry on expiry, SMS/email/push OTP are supported
* **Post-login URL** - Get the URL where login landed (`post_login_url`) so you can start automations from the right page
* **Session monitoring** - [Periodic health checks](/auth/connection-lifecycle) and automatic re-authentication when sessions expire with stored credentials
* **Secure by default** - Credentials encrypted at rest, never exposed in API responses, or passed to LLMs

## Security

| Feature                    | Description                                        |
| -------------------------- | -------------------------------------------------- |
| **Encrypted credentials**  | Values encrypted with per-organization keys        |
| **No credential exposure** | Never returned in API responses or passed to LLMs  |
| **Encrypted profiles**     | Browser session state encrypted end-to-end         |
| **Isolated execution**     | Each login runs in an isolated browser environment |