Invocations
Proxies
Browsers
- GETList browser sessions
- POSTCreate a browser session
- GETGet browser session details
- DELDelete a browser session by ID.
- PATCHUpdate browser session
- POSTAd-hoc upload one or more unpacked extensions to a running browser instance.
- POSTExecute a batch of computer actions sequentially
- POSTGet the current mouse cursor position on the browser instance
- POSTMake an HTTP request through the browser's network stack
Browser Replays
Browser Telemetry
Browser Computer Controls
- POSTSimulate a mouse click action on the browser instance
- POSTMove the mouse cursor to the specified coordinates on the browser instance
- POSTCapture a screenshot of the browser instance
- POSTType text on the browser instance
- POSTPress one or more keys on the host computer
- POSTScroll the mouse wheel at a position on the host computer
- POSTDrag the mouse along a path
- POSTSet cursor visibility
- POSTRead text from the clipboard on the browser instance
- POSTWrite text to the clipboard on the browser instance
Apps
Deployments
Browser Filesystem
- GETRead file contents
- PUTWrite or create a file
- GETList files in a directory
- PUTCreate a new directory
- PUTDelete a file
- PUTDelete a directory
- PUTSet file or directory permissions/ownership
- GETGet information about a file or directory
- PUTMove or rename a file or directory
- POSTWatch a directory for changes
- GETStream filesystem events for a watch
- DELStop watching a directory
- GETDownload a directory as a ZIP archive
- POSTUpload one or more files
- POSTUpload a zip archive and extract it
Browser Processes
Browser Playwright
Browser Pools
Profiles
Managed Auth
Extensions
import Kernel from '@onkernel/sdk';
const client = new Kernel({
apiKey: process.env['KERNEL_API_KEY'], // This is the default and can be omitted
});
const managedAuth = await client.auth.connections.update('id');
console.log(managedAuth.id);{
"id": "ma_abc123xyz",
"profile_name": "my-netflix-profile",
"domain": "netflix.com",
"status": "AUTHENTICATED",
"save_credentials": true,
"record_session": false,
"last_auth_check_at": "2025-01-15T10:30:00Z",
"last_auth_at": "2025-01-15T10:30:00Z",
"credential": {
"name": "my-netflix-creds",
"provider": "my-1p",
"path": "Personal/Netflix",
"auto": true
},
"can_reauth": true,
"can_reauth_reason": "has_credential",
"proxy_id": "<string>",
"allowed_domains": [
"login.netflix.com",
"auth.netflix.com"
],
"login_url": "https://example.com/login",
"post_login_url": "https://www.netflix.com/browse",
"flow_status": "IN_PROGRESS",
"flow_step": "AWAITING_INPUT",
"flow_type": "LOGIN",
"flow_expires_at": "2025-11-05T20:00:00Z",
"discovered_fields": [
{
"name": "email",
"type": "email",
"label": "Email address",
"selector": "input#email",
"placeholder": "you@example.com",
"required": true,
"linked_mfa_type": "sms",
"hint": "Enter the phone ending in (***) ***-**92"
}
],
"mfa_options": [
{
"type": "sms",
"label": "Text me a code",
"target": "***-***-5678",
"description": "We'll send a 6-digit code to your phone"
}
],
"sign_in_options": [
{
"id": "work-account",
"label": "Work Account (user@company.com)",
"description": "user@company.com"
}
],
"pending_sso_buttons": [
{
"selector": "xpath=//button[contains(text(), 'Continue with Google')]",
"provider": "google",
"label": "Continue with Google"
}
],
"external_action_message": "Tap 'Yes' on the Google prompt on your phone",
"website_error": "<string>",
"sso_provider": "google",
"error_message": "Invalid password",
"error_code": "<string>",
"hosted_url": "https://auth.kernel.com/login/abc123xyz",
"live_view_url": "https://live.kernel.com/abc123xyz",
"browser_session_id": "bs_abc123xyz",
"health_check_interval": 3600,
"health_checks": true,
"auto_reauth": true
}Update auth connection
Update an auth connection’s configuration. Only the fields provided will be updated.
import Kernel from '@onkernel/sdk';
const client = new Kernel({
apiKey: process.env['KERNEL_API_KEY'], // This is the default and can be omitted
});
const managedAuth = await client.auth.connections.update('id');
console.log(managedAuth.id);{
"id": "ma_abc123xyz",
"profile_name": "my-netflix-profile",
"domain": "netflix.com",
"status": "AUTHENTICATED",
"save_credentials": true,
"record_session": false,
"last_auth_check_at": "2025-01-15T10:30:00Z",
"last_auth_at": "2025-01-15T10:30:00Z",
"credential": {
"name": "my-netflix-creds",
"provider": "my-1p",
"path": "Personal/Netflix",
"auto": true
},
"can_reauth": true,
"can_reauth_reason": "has_credential",
"proxy_id": "<string>",
"allowed_domains": [
"login.netflix.com",
"auth.netflix.com"
],
"login_url": "https://example.com/login",
"post_login_url": "https://www.netflix.com/browse",
"flow_status": "IN_PROGRESS",
"flow_step": "AWAITING_INPUT",
"flow_type": "LOGIN",
"flow_expires_at": "2025-11-05T20:00:00Z",
"discovered_fields": [
{
"name": "email",
"type": "email",
"label": "Email address",
"selector": "input#email",
"placeholder": "you@example.com",
"required": true,
"linked_mfa_type": "sms",
"hint": "Enter the phone ending in (***) ***-**92"
}
],
"mfa_options": [
{
"type": "sms",
"label": "Text me a code",
"target": "***-***-5678",
"description": "We'll send a 6-digit code to your phone"
}
],
"sign_in_options": [
{
"id": "work-account",
"label": "Work Account (user@company.com)",
"description": "user@company.com"
}
],
"pending_sso_buttons": [
{
"selector": "xpath=//button[contains(text(), 'Continue with Google')]",
"provider": "google",
"label": "Continue with Google"
}
],
"external_action_message": "Tap 'Yes' on the Google prompt on your phone",
"website_error": "<string>",
"sso_provider": "google",
"error_message": "Invalid password",
"error_code": "<string>",
"hosted_url": "https://auth.kernel.com/login/abc123xyz",
"live_view_url": "https://live.kernel.com/abc123xyz",
"browser_session_id": "bs_abc123xyz",
"health_check_interval": 3600,
"health_checks": true,
"auto_reauth": true
}Documentation Index
Fetch the complete documentation index at: https://kernel.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Path Parameters
Auth connection ID
Body
Request to update an auth connection's configuration
Login page URL. Set to empty string to clear.
"https://netflix.com/login"
Reference to credentials for the auth connection. Use one of:
- { name } for Kernel credentials
- { provider, path } for external provider item
- { provider, auto: true } for external provider domain lookup
Show child attributes
Show child attributes
Additional domains valid for this auth flow (replaces existing list)
["login.netflix.com", "auth.netflix.com"]Interval in seconds between automatic health checks
300 <= x <= 864003600
Whether periodic health checks are enabled. When set to false, the system will not
automatically verify authentication status, and auto_reauth has no effect on the
automatic flow (since re-auth is only triggered by a failed scheduled health check).
true
Whether automatic re-authentication is permitted for this connection. This is an opt-in
flag only — it does not check whether re-auth is actually feasible. Even when true,
re-auth only runs when the system has what it needs to perform it (for example, saved
credentials for the required login fields), and only after a scheduled health check
detects an expired session — so this flag has no effect when health_checks is false.
When false, expired sessions detected by a health check are marked as NEEDS_AUTH
instead of attempting re-auth.
true
Whether to save credentials after every successful login
true
Whether to record browser sessions for this connection by default
false
Proxy selection. Provide either id or name. The proxy must belong to the caller's org.
- Option 1
- Option 2
Show child attributes
Show child attributes
Response
Auth connection updated successfully
Managed authentication that keeps a profile logged into a specific domain. Flow fields (flow_status, flow_step, discovered_fields, mfa_options) reflect the most recent login flow and are null when no flow has been initiated.
Unique identifier for the auth connection
"ma_abc123xyz"
Name of the profile associated with this auth connection
"my-netflix-profile"
Target domain for authentication
"netflix.com"
Current authentication status of the managed profile
AUTHENTICATED, NEEDS_AUTH "AUTHENTICATED"
Whether credentials are saved after every successful login. One-time codes (TOTP, SMS, etc.) are not saved.
true
Whether to record browser session replays for this connection by default. Useful for debugging login flows. Can be overridden per-login.
false
When the most recent auth health check ran for this connection, regardless of outcome. Updated on every health check and does not by itself indicate that the profile is currently authenticated - use status for that. May be newer than flow_expires_at when a flow is still in progress because health checks continue to run in parallel.
"2025-01-15T10:30:00Z"
Deprecated alias for last_auth_check_at. Despite the name, this is the last health-check timestamp, not the last successful authentication. Use last_auth_check_at instead.
"2025-01-15T10:30:00Z"
Reference to credentials for the auth connection. Use one of:
- { name } for Kernel credentials
- { provider, path } for external provider item
- { provider, auto: true } for external provider domain lookup
Show child attributes
Show child attributes
Whether Kernel can automatically re-authenticate this connection when the session expires. Requires a prior successful login plus either a Kernel credential or an external credential reference. See can_reauth_reason for the specific outcome.
true
Machine-readable reason for the current value of can_reauth.
Affirmative values (re-auth is possible):
external_credential— an external credential provider is attachedcua_has_credential— CUA flow with a stored credentialhas_credential— Kernel credential is attached (optimistic; plan viability not checked)viable_plans_found— at least one stored login plan can be replayedno_requirements_recorded— no recorded credential requirements to fail againstrequirements_satisfiable— recorded requirements can be met by the attached credential
Negative values (a human must complete the login flow):
no_prior_successful_login— connection has never completed a successful loginno_credential— no Kernel or external credential attachedno_viable_plans— credential attached but no replayable login plan exists yetviable_plans_require_external_action— stored plans need an external step (email link, push, etc.)requires_external_action— recorded requirements include an external steprequires_totp_without_secret— flow needs a TOTP code but no TOTP secret is storedrequires_sms_code— flow needs an SMS code that cannot be received automaticallyrequires_email_code— flow needs an email code that cannot be received automatically
external_credential, cua_has_credential, has_credential, viable_plans_found, no_requirements_recorded, requirements_satisfiable, no_prior_successful_login, no_credential, no_viable_plans, viable_plans_require_external_action, requires_external_action, requires_totp_without_secret, requires_sms_code, requires_email_code "has_credential"
ID of the proxy associated with this connection, if any.
Additional domains that are valid for this auth flow (besides the primary domain). Useful when login pages redirect to different domains.
The following SSO/OAuth provider domains are automatically allowed by default and do not need to be specified:
- Google: accounts.google.com
- Microsoft/Azure AD: login.microsoftonline.com, login.live.com
- Okta: *.okta.com, *.oktapreview.com
- Auth0: *.auth0.com, *.us.auth0.com, *.eu.auth0.com, *.au.auth0.com
- Apple: appleid.apple.com
- GitHub: github.com
- Facebook/Meta: www.facebook.com
- LinkedIn: www.linkedin.com
- Amazon Cognito: *.amazoncognito.com
- OneLogin: *.onelogin.com
- Ping Identity: *.pingone.com, *.pingidentity.com
["login.netflix.com", "auth.netflix.com"]Optional login page URL to skip discovery
"https://example.com/login"
URL where the browser landed after successful login
"https://www.netflix.com/browse"
Current flow status (null when no flow in progress)
IN_PROGRESS, SUCCESS, FAILED, EXPIRED, CANCELED "IN_PROGRESS"
Current step in the flow (null when no flow in progress)
DISCOVERING, AWAITING_INPUT, AWAITING_EXTERNAL_ACTION, SUBMITTING, COMPLETED "AWAITING_INPUT"
Type of the current flow (null when no flow in progress)
LOGIN, REAUTH "LOGIN"
When the current flow expires (null when no flow in progress). A flow past this timestamp is no longer valid and its flow_status will be EXPIRED. Clients may start a new login to supersede a stale IN_PROGRESS flow past this timestamp.
"2025-11-05T20:00:00Z"
Fields awaiting input (present when flow_step=awaiting_input; may also be present with awaiting_external_action as fallback actions)
Show child attributes
Show child attributes
MFA method options (present when flow_step=awaiting_input; may also be present with awaiting_external_action as fallback actions)
Show child attributes
Show child attributes
Non-MFA choices presented during the auth flow, such as account selection or org pickers (present when flow_step=awaiting_input; may also be present with awaiting_external_action as fallback actions).
Show child attributes
Show child attributes
SSO buttons available (present when flow_step=awaiting_input; may also be present with awaiting_external_action as fallback actions)
Show child attributes
Show child attributes
Instructions for external action (present when flow_step=awaiting_external_action)
"Tap 'Yes' on the Google prompt on your phone"
Visible error message from the website (e.g., 'Incorrect password'). Present when the website displays an error during login.
SSO provider being used (e.g., google, github, microsoft)
"google"
Error message (present when flow_status=failed)
"Invalid password"
Machine-readable error code (present when flow_status=failed)
URL to redirect user to for hosted login (present when flow in progress)
"https://auth.kernel.com/login/abc123xyz"
Browser live view URL for debugging (present when flow in progress)
"https://live.kernel.com/abc123xyz"
ID of the underlying browser session driving the current flow (present when flow in progress).
Use this to inspect or terminate the browser session via the /browsers API.
"bs_abc123xyz"
Interval in seconds between automatic health checks. When set, the system periodically verifies the authentication status and triggers re-authentication if needed. Maximum is 86400 (24 hours). Default is 3600 (1 hour). The minimum depends on your plan: Enterprise: 300 (5 minutes), Startup: 1200 (20 minutes), Hobbyist: 3600 (1 hour).
300 <= x <= 864003600
Whether periodic health checks are enabled for this connection. When false, the system
will not automatically verify authentication status, and auto_reauth has no effect on
the automatic flow (since re-auth is only triggered by a failed scheduled health check).
Manually triggering a health check via the API still works regardless of this setting.
true
Whether automatic re-authentication is permitted for this connection. This is an opt-in
flag only — it does not check whether re-auth is actually feasible. Even when true,
re-auth only runs when the system has what it needs to perform it (for example, saved
credentials for the required login fields), and only after a scheduled health check
detects an expired session — so this flag has no effect when health_checks is false.
When false, expired sessions detected by a health check are marked as NEEDS_AUTH
instead of attempting re-auth.
true