mng-auth

docs.json

@@ -5,7 +5,13 @@
     { "source": "/careers/infra-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" },
     { "source": "/careers/backend-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" },
     { "source": "/careers/engineer-new-grad", "destination": "https://jobs.ashbyhq.com/usekernel" },
-    { "source": "/careers/customer-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" }
+    { "source": "/careers/customer-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" },
+    { "source": "/auth/agent/overview", "destination": "/profiles/managed-auth/overview" },
+    { "source": "/auth/agent/hosted-ui", "destination": "/profiles/managed-auth/hosted-ui" },
+    { "source": "/auth/agent/programmatic", "destination": "/profiles/managed-auth/programmatic" },
+    { "source": "/auth/agent/faq", "destination": "/profiles/managed-auth/faq" },
+    { "source": "/browsers/profiles", "destination": "/profiles/overview" },
+    { "source": "/auth/credentials", "destination": "/profiles/credentials" }
   ],
   "theme": "palm",
   "name": "Kernel",
@@ -79,7 +85,22 @@
                 "pages": [
                   "browsers/replays",
                   "browsers/viewport",
-                  "browsers/profiles",
+                  {
+                    "group": "Profiles",
+                    "pages": [
+                      "profiles/overview",
+                      {
+                        "group": "Managed Auth",
+                        "pages": [
+                          "profiles/managed-auth/overview",
+                          "profiles/managed-auth/hosted-ui",
+                          "profiles/managed-auth/programmatic",
+                          "profiles/credentials",
+                          "profiles/managed-auth/faq"
+                        ]
+                      }
+                    ]
+                  },
                   "browsers/file-io",
                   "browsers/ssh",
                   "browsers/computer-controls",
@@ -121,16 +142,6 @@
               }
             ]
           },
-          {
-            "group": "Agent Auth",
-            "pages": [
-              "auth/agent/overview",
-              "auth/agent/hosted-ui",
-              "auth/agent/programmatic",
-              "auth/credentials",
-              "auth/agent/faq"
-            ]
-          },
           {
             "group": "Building your app",
             "pages": [

info/pricing.mdx

@@ -52,7 +52,13 @@ With Browser Pools, you pay the standard usage-based price per GB-second while b
 | Invocations (per-app) | 5 | 10 | 20 | Custom |
 | Managed auth profiles | N/A | 3 | 20 | Custom |
 
-> Note: Limits are org-wide by default unless stated otherwise. `Managed auth profiles` refer to the number of active auth profiles that Kernel maintains using your stored [Credentials](/auth/credentials) or [1Password connection](/integrations/1password).
+> Note: Limits are org-wide by default unless stated otherwise. `Managed auth profiles` refer to the number of active auth connections that Kernel maintains using your stored [Credentials](/profiles/credentials) or [1Password connection](/integrations/1password).
+
+## Managed Auth billing
+
+Managed Auth is included on all paid plans with no per-connection fees. Under the hood, it uses browser sessions to log in and keep your sessions fresh—these count toward your browser usage and concurrency like any other browser session.
+
+Auth sessions are fast (typically 5-30 seconds each). Kernel monitors session health and re-authenticates automatically when sessions expire—most stay valid for days. For example, keeping 100 auth connections logged in typically costs less than $5/month in browser usage.
 
 ## Pricing calculator
 

integrations/1password.mdx

@@ -1,14 +1,14 @@
 ---
 title: "1Password"
-description: "Use credentials from your 1Password vaults for Agent Auth"
+description: "Use credentials from your 1Password vaults for Managed Auth"
 ---
 
-Connect 1Password to automatically use credentials from your existing vaults with [Agent Auth](/auth/agent/overview). No need to manually create credentials in Kernel—1Password items are discovered by domain matching.
+Connect 1Password to automatically use credentials from your existing vaults with [Managed Auth](/profiles/managed-auth/overview). No need to manually create credentials in Kernel—1Password items are discovered by domain matching.
 
 ## How It Works
 
 1. **Connect a service account** — Add your 1Password service account token in the dashboard
-2. **Domain matching** — When Agent Auth needs credentials, it searches your connected vaults for items matching the target domain
+2. **Domain matching** — When Managed Auth needs credentials, it searches your connected vaults for items matching the target domain
 3. **Automatic fill** — Credentials (including TOTP secrets) are used to complete authentication
 
 <Note>
@@ -19,43 +19,55 @@ Credentials are retrieved securely at authentication time. Values are never stor
 
 <Steps>
   <Step title="Create a 1Password Service Account">
-    In 1Password, create a [service account](https://developer.1password.com/docs/service-accounts/) with access to the vaults containing your login credentials.
+    [Create a service account](https://start.1password.com/developer-tools/infrastructure-secrets/serviceaccount/?source=dev-portal) in 1Password with access to the vaults containing your login credentials.
 
-    Copy the service account token.
+    Copy the service account token (starts with `ops_`).
   </Step>
   <Step title="Connect in Kernel Dashboard">
-    Go to **Agent Auth** in the Kernel dashboard, click the **settings icon**, then select **Integrations**. Click **Connect 1Password**.
+    Go to **Integrations** in the Kernel dashboard and click **Connect 1Password**.
 
-    Paste your service account token. Kernel will validate the connection and show which vaults are accessible.
+    Give your provider a name (e.g., `my-1p`) and paste your service account token. Kernel will validate the connection and show which vaults are accessible.
+
+    You can connect multiple 1Password accounts with different names.
   </Step>
-  <Step title="Use with Agent Auth">
-    Start an auth invocation without specifying a `credential_id`. If 1Password has a matching item for the domain, it will be used automatically.
+  <Step title="Use with Managed Auth">
+    Reference your 1Password provider in the `credential` object. You can either specify an explicit item path or use auto-lookup by domain.
 
 <CodeGroup>
 ```typescript TypeScript
-const agent = await kernel.agents.auth.create({
+// Option 1: Auto-lookup by domain
+const auth = await kernel.profiles.auth.create({
   domain: 'github.com',
   profile_name: 'my-github-profile',
-  // No credential_name needed—1Password will provide credentials
+  credential: { provider: 'my-1p', auto: true },
 });
 
-const invocation = await kernel.agents.auth.invocations.create({
-  auth_agent_id: agent.id,
+// Option 2: Explicit item path (VaultName/ItemName)
+const auth = await kernel.profiles.auth.create({
+  domain: 'github.com',
+  profile_name: 'my-github-profile',
+  credential: { provider: 'my-1p', path: 'Engineering/github-login' },
 });
-// Credentials for github.com are automatically retrieved from 1Password
+
+const login = await kernel.profiles.auth.login(auth.id);
 ```
 
 ```python Python
-agent = await kernel.agents.auth.create(
+# Option 1: Auto-lookup by domain
+auth = await kernel.profiles.auth.create(
     domain="github.com",
     profile_name="my-github-profile",
-    # No credential_name needed—1Password will provide credentials
+    credential={"provider": "my-1p", "auto": True},
 )
 
-invocation = await kernel.agents.auth.invocations.create(
-    auth_agent_id=agent.id,
+# Option 2: Explicit item path (VaultName/ItemName)
+auth = await kernel.profiles.auth.create(
+    domain="github.com",
+    profile_name="my-github-profile",
+    credential={"provider": "my-1p", "path": "Engineering/github-login"},
 )
-# Credentials for github.com are automatically retrieved from 1Password
+
+login = await kernel.profiles.auth.login(auth.id)
 ```
 </CodeGroup>
   </Step>
@@ -77,13 +89,17 @@ If multiple items match a domain, the first match is used. Organize your vaults
 
 If your 1Password item has a one-time password (TOTP) field configured, it will be used automatically for 2FA—no additional setup needed.
 
-## Priority
+## Credential Options
+
+The `credential` object supports multiple sources:
 
-When both Kernel credentials and 1Password are available for a domain:
+| Type | Example | Description |
+|------|---------|-------------|
+| Kernel credential | `{ name: 'my-creds' }` | Use a credential stored in Kernel |
+| 1Password explicit | `{ provider: 'my-1p', path: 'Vault/Item' }` | Use a specific 1Password item |
+| 1Password auto | `{ provider: 'my-1p', auto: true }` | Search 1Password by domain |
 
-1. **Explicit credential** — If `credential_name` or `credential_id` is specified, that credential is used
-2. **1Password** — If no explicit credential, 1Password is searched
-3. **Request input** — If no credentials found, the auth agent waits for input
+If no `credential` is specified, the flow will wait for manual input.
 
 ## Security
 

integrations/overview.mdx

@@ -31,7 +31,7 @@ Kernel provides detailed guides for popular agent frameworks:
 - **[Val Town](/integrations/valtown)** - Serverless function runtime
 - **[Vercel](https://github.com/onkernel/vercel-template)** - Deploy browser automations to Vercel
 - **[Web Bot Authentication](/integrations/web-bot-auth)** - Create signed Chrome extensions for web bot authentication
-- **[1Password](/integrations/1password)** - Use credentials from your 1Password vaults for Agent Auth
+- **[1Password](/integrations/1password)** - Use credentials from your 1Password vaults for Managed Auth
 
 ## Custom Integrations