> ## Documentation Index
> Fetch the complete documentation index at: https://tbd-6fc993ce-hypeship-docker-sandboxes-integration.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Maintain authenticated browser sessions for agents

Managed Auth creates and maintains authenticated browser sessions for your AI agents. Store credentials once, and Kernel re-authenticates automatically when needed. When you launch Kernel browsers with Managed Auth connections, your agent starts already logged in and ready to go.

## How It Works

<Steps>
  <Step title="Create a Connection">
    A **Managed Auth Connection** attaches an authenticated domain to a browser [profile](/auth/profiles) so you can automatically be logged in when you launch future browsers. A single profile can have multiple auth connections — one per domain you want to keep authenticated.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      const auth = await kernel.auth.connections.create({
        domain: 'netflix.com',
        profile_name: 'netflix-user-123',
      });
      ```

      ```python Python theme={null}
      auth = await kernel.auth.connections.create(
          domain="netflix.com",
          profile_name="netflix-user-123",
      )
      ```
    </CodeGroup>
  </Step>

  <Step title="Start a Login Session">
    A **Managed Auth Session** is the corresponding login flow for the specified connection. Users provide credentials via a Kernel-hosted page or your own UI.

    Specify a [Credential](/auth/credentials) to enable re-authentication without user input.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      const login = await kernel.auth.connections.login(auth.id);

      // Send user to login page
      console.log('Login URL:', login.hosted_url);

      // Poll until complete
      let state = await kernel.auth.connections.retrieve(auth.id);
      while (state.flow_status === 'IN_PROGRESS') {
        await new Promise(r => setTimeout(r, 2000));
        state = await kernel.auth.connections.retrieve(auth.id);
      }

      if (state.status === 'AUTHENTICATED') {
        console.log('Authenticated!');
      }
      ```

      ```python Python theme={null}
      login = await kernel.auth.connections.login(auth.id)

      # Send user to login page
      print(f"Login URL: {login.hosted_url}")

      # Poll until complete
      state = await kernel.auth.connections.retrieve(auth.id)
      while state.flow_status == "IN_PROGRESS":
          await asyncio.sleep(2)
          state = await kernel.auth.connections.retrieve(auth.id)

      if state.status == "AUTHENTICATED":
          print("Authenticated!")
      ```
    </CodeGroup>
  </Step>

  <Step title="Use the Profile">
    Once the auth connection completes, the authenticated session is saved to the browser [profile](/auth/profiles) specified in step 1. You can attach additional auth connections to the same profile for other domains. When you create a browser with the profile, all of its auth connections are available — the browser session will already be logged in to every connected domain.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      const browser = await kernel.browsers.create({
        profile: { name: 'netflix-user-123' },
        stealth: true,
      });

      // Navigate to the site—you're already logged in
      await page.goto('https://netflix.com');
      ```

      ```python Python theme={null}
      browser = await kernel.browsers.create(
          profile={"name": "netflix-user-123"},
          stealth=True,
      )

      # Navigate to the site—you're already logged in
      await page.goto("https://netflix.com")
      ```
    </CodeGroup>
  </Step>
</Steps>

## Choose Your Integration

<CardGroup cols={2}>
  <Card title="Hosted UI" icon="browser" href="/auth/hosted-ui">
    **Start here** - Simplest integration

    Redirect users to Kernel's hosted page. Add features incrementally: save credentials for auto-reauth, custom login URLs, SSO support.
  </Card>

  <Card title="Programmatic" icon="code" href="/auth/programmatic">
    **Full control** - Custom UI or headless

    Build your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).
  </Card>
</CardGroup>

## Why Managed Auth?

Managed Auth automates **login flows** — navigating login pages, filling credentials, handling SSO redirects, and completing MFA challenges. It keeps your profiles logged in across sessions.

The most valuable workflows live behind logins. Managed Auth provides:

* **Works on any website** - Login pages are discovered and handled automatically
* **SSO/OAuth support** - "Sign in with Google/GitHub/Microsoft" buttons work out-of-the-box, with common SSO provider domains automatically allowed
* **2FA/OTP handling** - TOTP codes automated with automatic retry on expiry, SMS/email/push OTP are supported
* **Post-login URL** - Get the URL where login landed (`post_login_url`) so you can start automations from the right page
* **Session monitoring** - Automatic re-authentication when sessions expire with stored credentials
* **Secure by default** - Credentials encrypted at rest, never exposed in API responses, or passed to LLMs

## Security

| Feature                    | Description                                        |
| -------------------------- | -------------------------------------------------- |
| **Encrypted credentials**  | Values encrypted with per-organization keys        |
| **No credential exposure** | Never returned in API responses or passed to LLMs  |
| **Encrypted profiles**     | Browser session state encrypted end-to-end         |
| **Isolated execution**     | Each login runs in an isolated browser environment |