Skip to main content
Credentials allow you to store login information securely and enable Kernel’s automated re-authentication without requiring user interaction. There are three ways to provide credentials:
  • Automatically save during login — Capture credentials directly from the user when they log in via Hosted UI or Programmatic
  • Pre-store in Kernel — Create credentials before any login for fully headless automation
  • Connect 1Password — Use credentials from your existing 1Password vaults

1Password Integration

Connect your 1Password vaults to automatically use existing credentials with Managed Auth. Credentials are automatically matched by domain.

Save credentials during login

By default, credentials entered during login are automatically saved for re-authentication. No extra parameters are needed:
Once saved, browser profiles stay authenticated automatically. When the session expires, Kernel re-authenticates using the stored credentials. Credentials are updated after every successful login. One-time codes (TOTP, SMS, etc.) are not saved. To opt out of credential saving, set save_credentials: false when creating the connection:

Pre-store credentials

For fully automated flows where no user is involved, create credentials upfront:
Then link the credential when creating a connection:

2FA with TOTP

For sites with authenticator app 2FA, include totp_secret to fully automate login:

SSO / OAuth

For sites with “Sign in with Google/GitHub/Microsoft”, set sso_provider and Kernel automatically clicks the matching SSO button and completes OAuth. Common SSO provider domains (Google, Microsoft, Okta, Auth0, GitHub, etc.) are automatically allowed — you don’t need to add them to allowed_domains:

Partial Credentials

Credentials don’t need to contain every field required by the login form. You can store what you have and collect the necessary fields from the user. auth.connections.login() pauses for missing values. As an example, the below credential has email + TOTP secret stored (and automatically handled), but no password. The password is dynamically collected from the user using Kernel’s Hosted UI or your Programmatic flow:
This is useful when you want to:
  • Store TOTP secrets but have users enter their password each time
  • Pre-fill username/email but collect password at runtime
  • Merge user-provided values into an existing credential automatically on successful login

Security

Notes

  • The values object is flexible and can be used to store whatever fields the login form needs (email, username, company_id, etc.)
  • Deleting a credential unlinks it from associated connections so they can no longer auto-authenticate
  • Use one credential per account. We recommend creating separate credentials for different user accounts