Managed Auth - Kernel

Manage managed auth connections, stored credentials, and external credential providers from the CLI. For authenticating the CLI itself (login, logout, API keys), see Authentication.

Connections

A managed auth connection keeps a profile logged into a domain so future browsers reuse the authenticated session. See Managed auth for concepts and the programmatic flow for the SDK equivalent.

`kernel auth connections create`

Create a managed auth connection for a profile and domain.

Flag	Description
`--profile-name <name>`	Name of the profile to manage (required).
`--domain <domain>`	Target domain for authentication (required).
`--allowed-domain <domain>`	Additional allowed domains (repeatable).
`--login-url <url>`	Login page URL to skip discovery.
`--health-check-interval <seconds>`	Seconds between health checks (300–86400).
`--proxy-id <id>`	Proxy ID to use.
`--proxy-name <name>`	Proxy name to use.
`--credential-provider <name>`	External credential provider name.
`--credential-name <name>`	Kernel credential name to use.
`--credential-path <path>`	Provider-specific path (e.g. `VaultName/ItemName`).
`--credential-auto`	Look up the credential by domain from the provider (defaults to true when `--credential-provider` is set without `--credential-path`).
`--no-save-credentials`	Don’t save credentials after a successful login.
`--output json`, `-o json`	Output raw JSON object.

`kernel auth connections list`

List managed auth connections.

Flag	Description
`--domain <domain>`	Filter by domain.
`--profile-name <name>`	Filter by profile name.
`--limit <n>`	Maximum number of results to return.
`--offset <n>`	Number of results to skip.
`--output json`, `-o json`	Output raw JSON array.

`kernel auth connections get <id>`

Get a managed auth connection by ID.

Flag	Description
`--output json`, `-o json`	Output raw JSON object.

Start a login flow and return a hosted URL for authentication.

Flag	Description
`--proxy-id <id>`	Proxy ID to use for this login.
`--proxy-name <name>`	Proxy name to use for this login.
`--output json`, `-o json`	Output raw JSON object.

`kernel auth connections submit <id>`

Submit field values to an in-progress login flow. Poll the connection (or use follow) to track progress.

Flag	Description
`--field <name=value>`	Field name/value pair (repeatable).
`--mfa-option-id <id>`	MFA option ID when an MFA method was selected.
`--sign-in-option-id <id>`	Sign-in option ID when the flow returned non-MFA choices.
`--sso-button-selector <xpath>`	XPath selector when choosing an SSO button.
`--sso-provider <provider>`	SSO provider when choosing by provider (e.g. `google`, `github`).
`--output json`, `-o json`	Output raw JSON object.

# Submit username and password
kernel auth connections submit <id> --field username=myuser --field password=mypass

# Select an MFA option
kernel auth connections submit <id> --mfa-option-id <id>

`kernel auth connections follow <id>`

Stream real-time login flow state updates over SSE.

Flag	Description
`--output json`, `-o json`	Output raw JSON events.

`kernel auth connections update <id>`

Update connection settings such as login URL, health checks, credential source, and proxy.

Flag	Description
`--login-url <url>`	Login page URL (set to an empty string to clear).
`--allowed-domain <domain>`	Additional allowed domains (replaces the existing list).
`--health-check-interval <seconds>`	Seconds between health checks.
`--proxy-id <id>`	Proxy ID to use.
`--proxy-name <name>`	Proxy name to use.
`--credential-provider <name>`	External credential provider name.
`--credential-name <name>`	Kernel credential name to use.
`--credential-path <path>`	Provider-specific path (e.g. `VaultName/ItemName`).
`--credential-auto`	Look up the credential by domain from the provider.
`--save-credentials`	Save credentials after a successful login.
`--no-save-credentials`	Don’t save credentials after a successful login.
`--output json`, `-o json`	Output raw JSON object.

`kernel auth connections delete <id>`

Delete a managed auth connection.

Flag	Description
`--yes`, `-y`	Skip the confirmation prompt.

Credentials

Store login field values, TOTP secrets, and SSO settings that managed auth connections use to authenticate. See Credentials for concepts.

`kernel credentials create`

Create a new credential.

Flag	Description
`--name <name>`	Unique name for the credential (required).
`--domain <domain>`	Target domain this credential is for (required).
`--value <name=value>`	Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`).
`--totp-secret <secret>`	Base32-encoded TOTP secret for 2FA.
`--sso-provider <provider>`	SSO provider (e.g. `google`, `github`, `microsoft`).
`--output json`, `-o json`	Output raw JSON object.

`kernel credentials list`

List credentials.

Flag	Description
`--domain <domain>`	Filter by domain.
`--limit <n>`	Maximum number of results to return.
`--offset <n>`	Number of results to skip.
`--output json`, `-o json`	Output raw JSON array.

`kernel credentials get <id-or-name>`

Get a credential by ID or name.

Flag	Description
`--output json`, `-o json`	Output raw JSON object.

`kernel credentials update <id-or-name>`

Update a credential.

Flag	Description
`--name <name>`	New name for the credential.
`--value <name=value>`	Field name/value pair to update (repeatable).
`--totp-secret <secret>`	Base32-encoded TOTP secret (set to an empty string to remove).
`--sso-provider <provider>`	SSO provider (set to an empty string to remove).
`--output json`, `-o json`	Output raw JSON object.

`kernel credentials totp-code <id-or-name>`

Print the current TOTP code for a credential.

Flag	Description
`--output json`, `-o json`	Output raw JSON object.

`kernel credentials delete <id-or-name>`

Delete a credential by ID or name.

Credential providers

Connect an external secrets manager (e.g. 1Password) so managed auth connections can look up credentials at login time instead of storing them in Kernel.

`kernel credential-providers create`

Flag	Description
`--provider-type <type>`	Provider type (e.g. `onepassword`).
`--name <name>`	Human-readable name for this provider instance.
`--token <token>`	Service account token for the provider.
`--cache-ttl <seconds>`	How long to cache credential lists (default: 300).
`--output json`, `-o json`	Output raw JSON object.

`kernel credential-providers list`

List credential providers.

Flag	Description
`--output json`, `-o json`	Output raw JSON array.

`kernel credential-providers get <id>`

Get a credential provider by ID.

Flag	Description
`--output json`, `-o json`	Output raw JSON object.

`kernel credential-providers list-items <id>`

List items available from a credential provider.

Flag	Description
`--output json`, `-o json`	Output raw JSON array.

`kernel credential-providers test <id>`

Test the connection to a credential provider.

Flag	Description
`--output json`, `-o json`	Output raw JSON object.

`kernel credential-providers update <id>`

Update a credential provider.

Flag	Description
`--name <name>`	New human-readable name.
`--token <token>`	New service account token (to rotate credentials).
`--cache-ttl <seconds>`	How long to cache credential lists.
`--enabled`	Whether the provider is enabled for credential lookups.
`--priority <n>`	Priority for credential lookups (lower numbers are checked first).
`--output json`, `-o json`	Output raw JSON object.

`kernel credential-providers delete <id>`

Delete a credential provider.

​Connections

​kernel auth connections create

​kernel auth connections list

​kernel auth connections get <id>

​kernel auth connections login <id>

​kernel auth connections submit <id>

​kernel auth connections follow <id>

​kernel auth connections update <id>

​kernel auth connections delete <id>

​Credentials

​kernel credentials create

​kernel credentials list

​kernel credentials get <id-or-name>

​kernel credentials update <id-or-name>

​kernel credentials totp-code <id-or-name>

​kernel credentials delete <id-or-name>

​Credential providers

​kernel credential-providers create

​kernel credential-providers list

​kernel credential-providers get <id>

​kernel credential-providers list-items <id>

​kernel credential-providers test <id>

​kernel credential-providers update <id>

​kernel credential-providers delete <id>