mng-auth

docs.json

@@ -5,7 +5,13 @@
     { "source": "/careers/infra-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" },
     { "source": "/careers/backend-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" },
     { "source": "/careers/engineer-new-grad", "destination": "https://jobs.ashbyhq.com/usekernel" },
-    { "source": "/careers/customer-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" }
+    { "source": "/careers/customer-engineer", "destination": "https://jobs.ashbyhq.com/usekernel" },
+    { "source": "/auth/agent/overview", "destination": "/profiles/managed-auth/overview" },
+    { "source": "/auth/agent/hosted-ui", "destination": "/profiles/managed-auth/hosted-ui" },
+    { "source": "/auth/agent/programmatic", "destination": "/profiles/managed-auth/programmatic" },
+    { "source": "/auth/agent/faq", "destination": "/profiles/managed-auth/faq" },
+    { "source": "/browsers/profiles", "destination": "/profiles/overview" },
+    { "source": "/auth/credentials", "destination": "/profiles/credentials" }
   ],
   "theme": "palm",
   "name": "Kernel",
@@ -79,7 +85,22 @@
                 "pages": [
                   "browsers/replays",
                   "browsers/viewport",
-                  "browsers/profiles",
+                  {
+                    "group": "Profiles",
+                    "pages": [
+                      "profiles/overview",
+                      {
+                        "group": "Managed Auth",
+                        "pages": [
+                          "profiles/managed-auth/overview",
+                          "profiles/managed-auth/hosted-ui",
+                          "profiles/managed-auth/programmatic",
+                          "profiles/credentials",
+                          "profiles/managed-auth/faq"
+                        ]
+                      }
+                    ]
+                  },
                   "browsers/file-io",
                   "browsers/computer-controls",
                   "browsers/playwright-execution"
@@ -120,16 +141,6 @@
               }
             ]
           },
-          {
-            "group": "Agent Auth",
-            "pages": [
-              "auth/agent/overview",
-              "auth/agent/hosted-ui",
-              "auth/agent/programmatic",
-              "auth/credentials",
-              "auth/agent/faq"
-            ]
-          },
           {
             "group": "Building your app",
             "pages": [

integrations/1password.mdx

@@ -1,14 +1,14 @@
 ---
 title: "1Password"
-description: "Use credentials from your 1Password vaults for Agent Auth"
+description: "Use credentials from your 1Password vaults for Managed Auth"
 ---
 
-Connect 1Password to automatically use credentials from your existing vaults with [Agent Auth](/auth/agent/overview). No need to manually create credentials in Kernel—1Password items are discovered by domain matching.
+Connect 1Password to automatically use credentials from your existing vaults with [Managed Auth](/profiles/managed-auth/overview). No need to manually create credentials in Kernel—1Password items are discovered by domain matching.
 
 ## How It Works
 
 1. **Connect a service account** — Add your 1Password service account token in the dashboard
-2. **Domain matching** — When Agent Auth needs credentials, it searches your connected vaults for items matching the target domain
+2. **Domain matching** — When Managed Auth needs credentials, it searches your connected vaults for items matching the target domain
 3. **Automatic fill** — Credentials (including TOTP secrets) are used to complete authentication
 
 <Note>
@@ -24,37 +24,33 @@ Credentials are retrieved securely at authentication time. Values are never stor
     Copy the service account token.
   </Step>
   <Step title="Connect in Kernel Dashboard">
-    Go to **Agent Auth** in the Kernel dashboard, click the **settings icon**, then select **Integrations**. Click **Connect 1Password**.
+    Go to **Profiles** in the Kernel dashboard, click the **settings icon**, then select **Integrations**. Click **Connect 1Password**.
 
     Paste your service account token. Kernel will validate the connection and show which vaults are accessible.
   </Step>
-  <Step title="Use with Agent Auth">
-    Start an auth invocation without specifying a `credential_id`. If 1Password has a matching item for the domain, it will be used automatically.
+  <Step title="Use with Managed Auth">
+    Create managed auth without specifying a `credential_name`. If 1Password has a matching item for the domain, it will be used automatically.
 
 <CodeGroup>
 ```typescript TypeScript
-const agent = await kernel.agents.auth.create({
+const auth = await kernel.profiles.auth.create({
   domain: 'github.com',
   profile_name: 'my-github-profile',
   // No credential_name needed—1Password will provide credentials
 });
 
-const invocation = await kernel.agents.auth.invocations.create({
-  auth_agent_id: agent.id,
-});
+const login = await kernel.profiles.auth.login(auth.id);
 // Credentials for github.com are automatically retrieved from 1Password
 ```
 
 ```python Python
-agent = await kernel.agents.auth.create(
+auth = await kernel.profiles.auth.create(
     domain="github.com",
     profile_name="my-github-profile",
     # No credential_name needed—1Password will provide credentials
 )
 
-invocation = await kernel.agents.auth.invocations.create(
-    auth_agent_id=agent.id,
-)
+login = await kernel.profiles.auth.login(auth.id)
 # Credentials for github.com are automatically retrieved from 1Password
 ```
 </CodeGroup>
@@ -81,9 +77,9 @@ If your 1Password item has a one-time password (TOTP) field configured, it will
 
 When both Kernel credentials and 1Password are available for a domain:
 
-1. **Explicit credential** — If `credential_name` or `credential_id` is specified, that credential is used
+1. **Explicit credential** — If `credential_name` is specified, that credential is used
 2. **1Password** — If no explicit credential, 1Password is searched
-3. **Request input** — If no credentials found, the auth agent waits for input
+3. **Request input** — If no credentials found, the flow waits for input
 
 ## Security
 

integrations/overview.mdx

@@ -31,7 +31,7 @@ Kernel provides detailed guides for popular agent frameworks:
 - **[Val Town](/integrations/valtown)** - Serverless function runtime
 - **[Vercel](https://github.com/onkernel/vercel-template)** - Deploy browser automations to Vercel
 - **[Web Bot Authentication](/integrations/web-bot-auth)** - Create signed Chrome extensions for web bot authentication
-- **[1Password](/integrations/1password)** - Use credentials from your 1Password vaults for Agent Auth
+- **[1Password](/integrations/1password)** - Use credentials from your 1Password vaults for Managed Auth
 
 ## Custom Integrations
 

auth/credentials.mdx → profiles/credentials.mdx

@@ -3,32 +3,31 @@ title: "Credentials"
 description: "Automate authentication with stored credentials"
 ---
 
-Credentials are the automation layer for Agent Auth. Store login information securely, and Kernel handles authentication automatically—no user interaction needed.
+Credentials are the automation layer for Managed Auth. Store login information securely, and Kernel handles authentication automatically—no user interaction needed.
 
 **Three ways to provide credentials:**
-- **Save during login** — Capture credentials when a user logs in via [Hosted UI](/auth/agent/hosted-ui) or [Programmatic](/auth/agent/programmatic)
+- **Save during login** — Capture credentials when a user logs in via [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic)
 - **Pre-store in Kernel** — Create credentials before any login for fully headless automation
 - **Connect 1Password** — Use credentials from your existing 1Password vaults
 
 <Card title="1Password Integration" icon="key" href="/integrations/1password">
-  Connect your 1Password vaults to automatically use existing credentials with Agent Auth. Credentials are matched by domain—no manual setup per site.
+  Connect your 1Password vaults to automatically use existing credentials with Managed Auth. Credentials are matched by domain—no manual setup per site.
 </Card>
 
 ## Save credentials during login
 
-Add `save_credential_as` to any invocation. The credentials entered during login are securely stored:
+Add `save_credential_as` when starting a login flow. The credentials entered during login are securely stored:
 
 <CodeGroup>
 ```typescript TypeScript
-const invocation = await kernel.agents.auth.invocations.create({
-  auth_agent_id: agent.id,
+const login = await kernel.profiles.auth.login(auth.id, {
   save_credential_as: 'my-login',
 });
 ```
 
 ```python Python
-invocation = await kernel.agents.auth.invocations.create(
-    auth_agent_id=agent.id,
+login = await kernel.profiles.auth.login(
+    auth.id,
     save_credential_as="my-login",
 )
 ```
@@ -64,33 +63,29 @@ credential = await kernel.credentials.create(
 ```
 </CodeGroup>
 
-Then link the credential to an auth agent:
+Then link the credential when creating a connection:
 
 <CodeGroup>
 ```typescript TypeScript
-const agent = await kernel.agents.auth.create({
+const auth = await kernel.profiles.auth.create({
   domain: 'netflix.com',
   profile_name: 'my-profile',
   credential_name: credential.name,
 });
 
-// Start invocation - logs in automatically using stored credentials
-const invocation = await kernel.agents.auth.invocations.create({
-  auth_agent_id: agent.id,
-});
+// Start login - authenticates automatically using stored credentials
+const login = await kernel.profiles.auth.login(auth.id);
 ```
 
 ```python Python
-agent = await kernel.agents.auth.create(
+auth = await kernel.profiles.auth.create(
     domain="netflix.com",
     profile_name="my-profile",
     credential_name=credential.name,
 )
 
-# Start invocation - logs in automatically using stored credentials
-invocation = await kernel.agents.auth.invocations.create(
-    auth_agent_id=agent.id,
-)
+# Start login - authenticates automatically using stored credentials
+login = await kernel.profiles.auth.login(auth.id)
 ```
 </CodeGroup>
 
@@ -140,7 +135,7 @@ const credential = await kernel.credentials.create({
   },
 });
 
-const agent = await kernel.agents.auth.create({
+const auth = await kernel.profiles.auth.create({
   domain: 'target-site.com',
   profile_name: 'my-profile',
   credential_name: credential.name,
@@ -159,7 +154,7 @@ credential = await kernel.credentials.create(
     },
 )
 
-agent = await kernel.agents.auth.create(
+auth = await kernel.profiles.auth.create(
     domain="target-site.com",
     profile_name="my-profile",
     credential_name=credential.name,
@@ -185,28 +180,25 @@ const credential = await kernel.credentials.create({
   totp_secret: 'JBSWY3DPEHPK3PXP',
 });
 
-const agent = await kernel.agents.auth.create({
+const auth = await kernel.profiles.auth.create({
   domain: 'example.com',
   profile_name: 'my-profile',
   credential_name: credential.name,
 });
 
-const invocation = await kernel.agents.auth.invocations.create({
-  auth_agent_id: agent.id,
-});
+const login = await kernel.profiles.auth.login(auth.id);
 
 // Poll until password is needed
-let state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
-while (state.status === 'IN_PROGRESS') {
-  if (state.step === 'awaiting_input' && state.pending_fields?.length) {
+let state = await kernel.profiles.auth.retrieve(auth.id);
+while (state.flow_status === 'IN_PROGRESS') {
+  if (state.flow_step === 'AWAITING_INPUT' && state.discovered_fields?.length) {
     // Only password field will be pending (email auto-filled from credential)
-    await kernel.agents.auth.invocations.submit(
-      invocation.invocation_id,
-      { field_values: { password: 'user-provided-password' } }
-    );
+    await kernel.profiles.auth.submit(auth.id, {
+      fields: { password: 'user-provided-password' }
+    });
   }
   await new Promise(r => setTimeout(r, 2000));
-  state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id);
+  state = await kernel.profiles.auth.retrieve(auth.id);
 }
 // TOTP auto-submitted from credential → SUCCESS
 ```
@@ -219,27 +211,25 @@ credential = await kernel.credentials.create(
     totp_secret="JBSWY3DPEHPK3PXP",
 )
 
-agent = await kernel.agents.auth.create(
+auth = await kernel.profiles.auth.create(
     domain="example.com",
     profile_name="my-profile",
     credential_name=credential.name,
 )
 
-invocation = await kernel.agents.auth.invocations.create(
-    auth_agent_id=agent.id,
-)
+login = await kernel.profiles.auth.login(auth.id)
 
 # Poll until password is needed
-state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id)
-while state.status == "IN_PROGRESS":
-    if state.step == "awaiting_input" and state.pending_fields:
+state = await kernel.profiles.auth.retrieve(auth.id)
+while state.flow_status == "IN_PROGRESS":
+    if state.flow_step == "AWAITING_INPUT" and state.discovered_fields:
         # Only password field will be pending (email auto-filled from credential)
-        await kernel.agents.auth.invocations.submit(
-            invocation.invocation_id,
-            field_values={"password": "user-provided-password"},
+        await kernel.profiles.auth.submit(
+            auth.id,
+            fields={"password": "user-provided-password"},
         )
     await asyncio.sleep(2)
-    state = await kernel.agents.auth.invocations.retrieve(invocation.invocation_id)
+    state = await kernel.profiles.auth.retrieve(auth.id)
 # TOTP auto-submitted from credential → SUCCESS
 ```
 </CodeGroup>
@@ -262,5 +252,5 @@ This is useful when you want to:
 ## Notes
 
 - The `values` object is flexible—store whatever fields the login form needs (`email`, `username`, `company_id`, etc.)
-- Deleting a credential unlinks it from associated auth agents; they'll no longer auto-authenticate
+- Deleting a credential unlinks it from associated connections; they'll no longer auto-authenticate
 - One credential per account—create separate credentials for different user accounts