Invocations
Proxies
Browsers
- GETList browser sessions
- POSTCreate a browser session
- DELDelete a persistent browser sessiondeprecated
- GETGet browser session details
- DELDelete a browser session by ID.
- PATCHUpdate browser session
- POSTAd-hoc upload one or more unpacked extensions to a running browser instance.
- POSTExecute a batch of computer actions sequentially
- POSTGet the current mouse cursor position on the browser instance
- POSTMake an HTTP request through the browser's network stack
Browser Replays
Browser Computer Controls
- POSTSimulate a mouse click action on the browser instance
- POSTMove the mouse cursor to the specified coordinates on the browser instance
- POSTCapture a screenshot of the browser instance
- POSTType text on the browser instance
- POSTPress one or more keys on the host computer
- POSTScroll the mouse wheel at a position on the host computer
- POSTDrag the mouse along a path
- POSTSet cursor visibility
- POSTRead text from the clipboard on the browser instance
- POSTWrite text to the clipboard on the browser instance
Apps
Deployments
Browser Filesystem
- GETRead file contents
- PUTWrite or create a file
- GETList files in a directory
- PUTCreate a new directory
- PUTDelete a file
- PUTDelete a directory
- PUTSet file or directory permissions/ownership
- GETGet information about a file or directory
- PUTMove or rename a file or directory
- POSTWatch a directory for changes
- GETStream filesystem events for a watch
- DELStop watching a directory
- GETDownload a directory as a ZIP archive
- POSTUpload one or more files
- POSTUpload a zip archive and extract it
Browser Processes
Browser Playwright
Browser Pools
Profiles
Managed Auth
import Kernel from '@onkernel/sdk';
const client = new Kernel({
apiKey: process.env['KERNEL_API_KEY'], // This is the default and can be omitted
});
const managedAuth = await client.auth.connections.update('id');
console.log(managedAuth.id);{
"id": "ma_abc123xyz",
"profile_name": "my-netflix-profile",
"domain": "netflix.com",
"status": "AUTHENTICATED",
"save_credentials": true,
"last_auth_check_at": "2025-01-15T10:30:00Z",
"last_auth_at": "2025-01-15T10:30:00Z",
"credential": {
"name": "my-netflix-creds",
"provider": "my-1p",
"path": "Personal/Netflix",
"auto": true
},
"can_reauth": true,
"can_reauth_reason": "has_credential",
"proxy_id": "<string>",
"allowed_domains": [
"login.netflix.com",
"auth.netflix.com"
],
"login_url": "https://example.com/login",
"post_login_url": "https://www.netflix.com/browse",
"flow_status": "IN_PROGRESS",
"flow_step": "AWAITING_INPUT",
"flow_type": "LOGIN",
"flow_expires_at": "2025-11-05T20:00:00Z",
"discovered_fields": [
{
"name": "email",
"type": "email",
"label": "Email address",
"selector": "input#email",
"placeholder": "you@example.com",
"required": true,
"linked_mfa_type": "sms",
"hint": "Enter the phone ending in (***) ***-**92"
}
],
"mfa_options": [
{
"type": "sms",
"label": "Text me a code",
"target": "***-***-5678",
"description": "We'll send a 6-digit code to your phone"
}
],
"sign_in_options": [
{
"id": "work-account",
"label": "Work Account (user@company.com)",
"description": "user@company.com"
}
],
"pending_sso_buttons": [
{
"selector": "xpath=//button[contains(text(), 'Continue with Google')]",
"provider": "google",
"label": "Continue with Google"
}
],
"external_action_message": "Tap 'Yes' on the Google prompt on your phone",
"website_error": "<string>",
"sso_provider": "google",
"error_message": "Invalid password",
"error_code": "<string>",
"hosted_url": "https://auth.kernel.com/login/abc123xyz",
"live_view_url": "https://live.kernel.com/abc123xyz",
"browser_session_id": "bs_abc123xyz",
"health_check_interval": 3600
}Update auth connection
Update an auth connection’s configuration. Only the fields provided will be updated.
import Kernel from '@onkernel/sdk';
const client = new Kernel({
apiKey: process.env['KERNEL_API_KEY'], // This is the default and can be omitted
});
const managedAuth = await client.auth.connections.update('id');
console.log(managedAuth.id);{
"id": "ma_abc123xyz",
"profile_name": "my-netflix-profile",
"domain": "netflix.com",
"status": "AUTHENTICATED",
"save_credentials": true,
"last_auth_check_at": "2025-01-15T10:30:00Z",
"last_auth_at": "2025-01-15T10:30:00Z",
"credential": {
"name": "my-netflix-creds",
"provider": "my-1p",
"path": "Personal/Netflix",
"auto": true
},
"can_reauth": true,
"can_reauth_reason": "has_credential",
"proxy_id": "<string>",
"allowed_domains": [
"login.netflix.com",
"auth.netflix.com"
],
"login_url": "https://example.com/login",
"post_login_url": "https://www.netflix.com/browse",
"flow_status": "IN_PROGRESS",
"flow_step": "AWAITING_INPUT",
"flow_type": "LOGIN",
"flow_expires_at": "2025-11-05T20:00:00Z",
"discovered_fields": [
{
"name": "email",
"type": "email",
"label": "Email address",
"selector": "input#email",
"placeholder": "you@example.com",
"required": true,
"linked_mfa_type": "sms",
"hint": "Enter the phone ending in (***) ***-**92"
}
],
"mfa_options": [
{
"type": "sms",
"label": "Text me a code",
"target": "***-***-5678",
"description": "We'll send a 6-digit code to your phone"
}
],
"sign_in_options": [
{
"id": "work-account",
"label": "Work Account (user@company.com)",
"description": "user@company.com"
}
],
"pending_sso_buttons": [
{
"selector": "xpath=//button[contains(text(), 'Continue with Google')]",
"provider": "google",
"label": "Continue with Google"
}
],
"external_action_message": "Tap 'Yes' on the Google prompt on your phone",
"website_error": "<string>",
"sso_provider": "google",
"error_message": "Invalid password",
"error_code": "<string>",
"hosted_url": "https://auth.kernel.com/login/abc123xyz",
"live_view_url": "https://live.kernel.com/abc123xyz",
"browser_session_id": "bs_abc123xyz",
"health_check_interval": 3600
}Documentation Index
Fetch the complete documentation index at: https://kernel.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Path Parameters
Auth connection ID
Body
Request to update an auth connection's configuration
Login page URL. Set to empty string to clear.
"https://netflix.com/login"
Reference to credentials for the auth connection. Use one of:
- { name } for Kernel credentials
- { provider, path } for external provider item
- { provider, auto: true } for external provider domain lookup
Show child attributes
Show child attributes
Additional domains valid for this auth flow (replaces existing list)
["login.netflix.com", "auth.netflix.com"]Interval in seconds between automatic health checks
300 <= x <= 864003600
Whether to save credentials after every successful login
true
Proxy selection. Provide either id or name. The proxy must belong to the caller's org.
- Option 1
- Option 2
Show child attributes
Show child attributes
Response
Auth connection updated successfully
Managed authentication that keeps a profile logged into a specific domain. Flow fields (flow_status, flow_step, discovered_fields, mfa_options) reflect the most recent login flow and are null when no flow has been initiated.
Unique identifier for the auth connection
"ma_abc123xyz"
Name of the profile associated with this auth connection
"my-netflix-profile"
Target domain for authentication
"netflix.com"
Current authentication status of the managed profile
AUTHENTICATED, NEEDS_AUTH "AUTHENTICATED"
Whether credentials are saved after every successful login. One-time codes (TOTP, SMS, etc.) are not saved.
true
When the most recent auth health check ran for this connection, regardless of outcome. Updated on every health check and does not by itself indicate that the profile is currently authenticated - use status for that. May be newer than flow_expires_at when a flow is still in progress because health checks continue to run in parallel.
"2025-01-15T10:30:00Z"
Deprecated alias for last_auth_check_at. Despite the name, this is the last health-check timestamp, not the last successful authentication. Use last_auth_check_at instead.
"2025-01-15T10:30:00Z"
Reference to credentials for the auth connection. Use one of:
- { name } for Kernel credentials
- { provider, path } for external provider item
- { provider, auto: true } for external provider domain lookup
Show child attributes
Show child attributes
Whether automatic re-authentication is possible (has credential, selectors, and login_url)
true
Reason why automatic re-authentication is or is not possible
"has_credential"
ID of the proxy associated with this connection, if any.
Additional domains that are valid for this auth flow (besides the primary domain). Useful when login pages redirect to different domains.
The following SSO/OAuth provider domains are automatically allowed by default and do not need to be specified:
- Google: accounts.google.com
- Microsoft/Azure AD: login.microsoftonline.com, login.live.com
- Okta: *.okta.com, *.oktapreview.com
- Auth0: *.auth0.com, *.us.auth0.com, *.eu.auth0.com, *.au.auth0.com
- Apple: appleid.apple.com
- GitHub: github.com
- Facebook/Meta: www.facebook.com
- LinkedIn: www.linkedin.com
- Amazon Cognito: *.amazoncognito.com
- OneLogin: *.onelogin.com
- Ping Identity: *.pingone.com, *.pingidentity.com
["login.netflix.com", "auth.netflix.com"]Optional login page URL to skip discovery
"https://example.com/login"
URL where the browser landed after successful login
"https://www.netflix.com/browse"
Current flow status (null when no flow in progress)
IN_PROGRESS, SUCCESS, FAILED, EXPIRED, CANCELED "IN_PROGRESS"
Current step in the flow (null when no flow in progress)
DISCOVERING, AWAITING_INPUT, AWAITING_EXTERNAL_ACTION, SUBMITTING, COMPLETED "AWAITING_INPUT"
Type of the current flow (null when no flow in progress)
LOGIN, REAUTH "LOGIN"
When the current flow expires (null when no flow in progress). A flow past this timestamp is no longer valid and its flow_status will be EXPIRED. Clients may start a new login to supersede a stale IN_PROGRESS flow past this timestamp.
"2025-11-05T20:00:00Z"
Fields awaiting input (present when flow_step=awaiting_input)
Show child attributes
Show child attributes
MFA method options (present when flow_step=awaiting_input and MFA selection required)
Show child attributes
Show child attributes
Non-MFA choices presented during the auth flow, such as account selection or org pickers (present when flow_step=awaiting_input).
Show child attributes
Show child attributes
SSO buttons available (present when flow_step=awaiting_input)
Show child attributes
Show child attributes
Instructions for external action (present when flow_step=awaiting_external_action)
"Tap 'Yes' on the Google prompt on your phone"
Visible error message from the website (e.g., 'Incorrect password'). Present when the website displays an error during login.
SSO provider being used (e.g., google, github, microsoft)
"google"
Error message (present when flow_status=failed)
"Invalid password"
Machine-readable error code (present when flow_status=failed)
URL to redirect user to for hosted login (present when flow in progress)
"https://auth.kernel.com/login/abc123xyz"
Browser live view URL for debugging (present when flow in progress)
"https://live.kernel.com/abc123xyz"
ID of the underlying browser session driving the current flow (present when flow in progress).
Use this to inspect or terminate the browser session via the /browsers API.
"bs_abc123xyz"
Interval in seconds between automatic health checks. When set, the system periodically verifies the authentication status and triggers re-authentication if needed. Maximum is 86400 (24 hours). Default is 3600 (1 hour). The minimum depends on your plan: Enterprise: 300 (5 minutes), Startup: 1200 (20 minutes), Hobbyist: 3600 (1 hour).
300 <= x <= 864003600