How does re-authentication work?
When you link credentials to a connection, Kernel monitors the session and re-authenticates automatically when it expires. Periodic health checks (default: every hour) detect logged-out sessions and trigger re-auth in the background, so the profile stays logged in without any action on your part.
Automatic re-authentication only works when credentials are complete and don’t require human input. If login needs SMS/email OTP, push notifications, or manual MFA selection, you’ll need to trigger a new login session manually.
How do I know if a connection can auto-reauth?
Check the can_reauth field on a connection. This boolean tells you whether Kernel can automatically re-authenticate the connection when the session expires.
can_reauth is true when all of the following are met:
- Credential linked — A credential is attached to the connection (stored in Kernel or via an external provider like 1Password)
- Login URL set — The connection has a
login_url (set automatically after the first successful login, or provided manually)
- Login flow learned — At least one successful login has completed so Kernel has learned the login flow for the site
- No external action required — The learned login flow doesn’t require human intervention (see below)
External actions that prevent auto-reauth
After a successful login, Kernel saves the login flow. If the flow includes steps that require human action—like SMS/email OTP, push notifications, or manual MFA selection—Kernel marks the connection as unable to auto-reauth because those steps can’t be automated without user input.
If your login flow requires one of these, you can still automate around it:
- Switch to TOTP — If the site supports authenticator apps, add a
totp_secret to your credential. TOTP codes are generated automatically, so the login flow won’t require external action.
- Trigger manual re-auth — Start a new login session when
status is NEEDS_AUTH and route the user through the Hosted UI or Programmatic flow.
How do I know if a connection needs authentication?
Check the connection’s status field:
AUTHENTICATED — Profile is logged in and ready to useNEEDS_AUTH — Profile needs authentication (auto-reauth failed or isn’t possible)
If status is NEEDS_AUTH, start a new login session. This happens when auto-reauth fails (e.g., password changed), when credentials require human input, or when can_reauth is false.
What authentication methods are supported?
Managed Auth supports username/password authentication and most SSO providers.
Passkey-based authentication (e.g., Google accounts with passkeys enabled) is not currently supported. If a user’s SSO provider requires a passkey, the login will fail.
What happens if login fails?
If a login attempt fails, Kernel will retry with exponential backoff. After multiple failures, the login flow will be marked as failed and you’ll receive an error. Common failure reasons include:
- Invalid credentials
- Bot detection blocking the login page
- Captcha that couldn’t be solved
Can I use Managed Auth with any website?
Managed Auth works with any website. Sites with aggressive bot detection may require additional configuration (stealth mode, proxies). Passkeys and hardware security keys are not currently supported.
How is Managed Auth billed?
Managed Auth is included on all paid plans with no per-connection fees. It uses browser sessions to log in and keep your sessions fresh—these count toward your browser usage like any other browser session.
Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage. See Pricing & Limits for details.
