Skip to main content
Credentials allow you to store login information securely and enable Kernel’s automated re-authentication without requiring user interaction. There are three ways to provide credentials:
  • Automatically save during login — Capture credentials directly from the user when they log in via Hosted UI or Programmatic
  • Pre-store in Kernel — Create credentials before any login for fully headless automation
  • Connect 1Password — Use credentials from your existing 1Password vaults

1Password Integration

Connect your 1Password vaults to automatically use existing credentials with Managed Auth. Credentials are automatically matched by domain.

Save credentials during login

By default, credentials entered during login are automatically saved for re-authentication. No extra parameters are needed: 
const login = await kernel.auth.connections.login(auth.id);
Once saved, the profile stays authenticated automatically. When the session expires, Kernel re-authenticates using the stored credentials. Credentials are updated after every successful login. One-time codes (TOTP, SMS, etc.) are not saved. To opt out of credential saving, set save_credentials: false when creating the connection: 
const auth = await kernel.auth.connections.create({
  domain: 'example.com',
  profile_name: 'my-profile',
  save_credentials: false,
});

Pre-store credentials

For fully automated flows where no user is involved, create credentials upfront: 
const credential = await kernel.credentials.create({
  name: 'my-netflix-login',
  domain: 'netflix.com',
  values: {
    email: 'user@netflix.com',
    password: 'secretpassword123',
  },
});
Then link the credential when creating a connection: 
const auth = await kernel.auth.connections.create({
  domain: 'netflix.com',
  profile_name: 'my-profile',
  credential: { name: credential.name },
});

// Start login - authenticates automatically using stored credentials
const login = await kernel.auth.connections.login(auth.id);

2FA with TOTP

For sites with authenticator app 2FA, include totp_secret to fully automate login: 
const credential = await kernel.credentials.create({
  name: 'my-login',
  domain: 'github.com',
  values: {
    username: 'my-username',
    password: 'my-password',
  },
  totp_secret: 'JBSWY3DPEHPK3PXP',  // From authenticator app setup
});

SSO / OAuth

For sites with “Sign in with Google/GitHub/Microsoft”, set sso_provider and include the OAuth provider’s domains in allowed_domains. The workflow automatically clicks the matching SSO button and completes OAuth: 
const credential = await kernel.credentials.create({
  name: 'my-google-login',
  domain: 'accounts.google.com',
  sso_provider: 'google',
  values: {
    email: 'user@gmail.com',
    password: 'password',
  },
});

const auth = await kernel.auth.connections.create({
  domain: 'target-site.com',
  profile_name: 'my-profile',
  credential: { name: credential.name },
  allowed_domains: ['accounts.google.com', 'google.com'],
});

Partial Credentials

Credentials don’t need to contain every field required by the login form. You can store what you have and collect the necessary fields from the user. auth.connections.login() pauses for missing values. As an example, the below credential has email + TOTP secret stored (and automatically handled), but no password. The password is dynamically collected from the user using Kernel’s Hosted UI or your Programmatic flow: 
const credential = await kernel.credentials.create({
  name: 'my-login',
  domain: 'example.com',
  values: { email: 'user@example.com' },  // No password
  totp_secret: 'JBSWY3DPEHPK3PXP',
});

const auth = await kernel.auth.connections.create({
  domain: 'example.com',
  profile_name: 'my-profile',
  credential: { name: credential.name },
});

const login = await kernel.auth.connections.login(auth.id);

// Poll until password is needed
let state = await kernel.auth.connections.retrieve(auth.id);
while (state.flow_status === 'IN_PROGRESS') {
  if (state.flow_step === 'AWAITING_INPUT' && state.discovered_fields?.length) {
    // Only password field will be pending (email auto-filled from credential)
    await kernel.auth.connections.submit(auth.id, {
      fields: { password: 'user-provided-password' }
    });
  }
  await new Promise(r => setTimeout(r, 2000));
  state = await kernel.auth.connections.retrieve(auth.id);
}
// TOTP auto-submitted from credential → SUCCESS
This is useful when you want to:
  • Store TOTP secrets but have users enter their password each time
  • Pre-fill username/email but collect password at runtime
  • Merge user-provided values into an existing credential automatically on successful login

Security

FeatureDescription
Encrypted at restValues encrypted using per-organization keys
Write-onlyValues cannot be retrieved via API after creation
Never loggedValues are never written to logs
Never sharedValues are never passed to LLMs
Isolated executionAuthentication runs in isolated browser environments

Notes

  • The values object is flexible and can be used to store whatever fields the login form needs (email, username, company_id, etc.)
  • Deleting a credential unlinks it from associated connections so they can no longer auto-authenticate
  • Use one credential per account. We recommend creating separate credentials for different user accounts