kernel · masnwilliams · Mar 11, 2026
diff --git a/profiles/credentials.mdx b/profiles/credentials.mdx
@@ -138,7 +138,7 @@ credential = await kernel.credentials.create(
 
 For sites with "Sign in with Google/GitHub/Microsoft", set `sso_provider` and include the OAuth provider's domains in `allowed_domains`.
 
-The workflow automatically clicks the matching SSO button and completes OAuth:
+The workflow automatically selects the matching SSO provider and completes the OAuth flow:
 
 <CodeGroup>
 ```typescript TypeScript

diff --git a/profiles/managed-auth/faq.mdx b/profiles/managed-auth/faq.mdx
@@ -10,50 +10,118 @@ When you link credentials to a connection, Kernel monitors the login session and
 Automatic re-authentication only works when the stored credentials are complete and don't require human input. If login needs SMS/email OTP, push notifications, or manual MFA selection, you'll need to trigger a new login session manually.
 </Warning>
 
+## How do I trigger re-authentication manually?
+
+Call `.login()` on an existing connection to trigger re-authentication without waiting for the next health check:
+
+<CodeGroup>
+```typescript TypeScript
+const login = await kernel.auth.connections.login(auth.id);
+```
+
+```python Python
+login = await kernel.auth.connections.login(auth.id)
+```
+</CodeGroup>
+
+If the connection is already authenticated, this returns quickly. If the login flow requires human input (e.g., MFA), handle it via the [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic) flow.
 
 ## How often are health checks performed?
 
-Health checks on regular cadences based on your plan:
+Health checks run on regular cadences based on your plan:
 - Hobbyist (1 hr)
 - Start-Up (15 min)
 - Enterprise (configurable)
 
-## How do I know if a Kernel can automatically re-authenticate a connection?
+You can configure the health check interval when creating or updating a connection:
+
+<CodeGroup>
+```typescript TypeScript
+await kernel.auth.connections.update(auth.id, {
+  health_check_interval: 600, // 10 minutes (300–86400 seconds)
+});
+```
+
+```python Python
+await kernel.auth.connections.update(
+    auth.id,
+    health_check_interval=600,  # 10 minutes (300–86400 seconds)
+)
+```
+</CodeGroup>
+
+The interval must be between 300 seconds (5 minutes) and 86400 seconds (24 hours). Changes take effect immediately.
+
+## How do I know if Kernel can automatically re-authenticate a connection?
 
 Check the `can_reauth` field on a connection. This boolean checks the following conditions:
 
 1. **Credential linked** — A credential must be attached to the connection (stored in Kernel or via an external provider like [1Password](/integrations/1password))
-2. **No external action required** — The learned login flow doesn't require human intervention
+2. **No external action required** — The login flow doesn't require human intervention
 
 Only if all of the above conditions are met will `can_reauth` be `true`. When true, Kernel will attempt to automatically re-authenticate the connection.
 
 ### External actions that prevent auto-reauth
 
-After a successful login, Kernel saves the login flow. If the flow includes steps that require human action—like SMS/email OTP, push notifications, or manual MFA selection—Kernel marks the connection as unable to auto-reauth because those steps can't be automated without user input.
+After a successful login, Kernel records what the login flow required. If the flow includes steps that require human action — like SMS/email OTP, push notifications, or manual MFA selection — Kernel marks the connection as unable to auto-reauth because those steps can't be automated without user input.
 
 If your login flow requires one of these, you can still automate around it:
 - **Switch to TOTP** — If the site supports authenticator apps, add a `totp_secret` to your credential. TOTP codes are generated automatically, so the login flow won't require external action.
 - **Trigger manual re-auth** — Start a new login session and route the user through the [Hosted UI](/profiles/managed-auth/hosted-ui) or [Programmatic](/profiles/managed-auth/programmatic) flow.
 
 ## Which authentication methods are supported?
 
-Managed Auth supports username/password authentication and most SSO providers. 
+Managed Auth supports username/password authentication and most SSO providers. The CUA-based login agent handles complex login flows including multi-step logins, popups, CAPTCHAs, and account selection screens.
+
+Tested sites include: LinkedIn, Google, Instacart, X/Twitter, Airbnb, PayPal, Netflix, Amazon, Walmart, and many more.
 
 <Warning>
-Passkey-based authentication (e.g., Google accounts with passkeys enabled) is not currently supported. If a user's SSO provider requires a passkey, the login will fail.
+Passkey-based authentication (e.g., hardware security keys, device-bound passkeys) is not currently supported. If a login flow requires a passkey, it will fail with the `unsupported_auth_method` error code.
 </Warning>
 
 ## What happens if login fails?
 
-If a login attempt fails, Kernel will retry with exponential backoff. After multiple failures, the [login flow](/profiles/managed-auth/hosted-ui) will be marked as failed and you'll receive an error. Common failure reasons include:
+If a login attempt fails, the connection status changes to `NEEDS_AUTH` and the flow includes an error code and message. Common error codes include:
+
+| Error code | Description |
+|------------|-------------|
+| `domain_not_allowed` | Login redirected to a domain not in `allowed_domains` |
+| `network_error` | DNS or connection failure, possibly a proxy issue |
+| `unsupported_auth_method` | Login requires a passkey or security key |
+| `awaiting_input_timeout` | User didn't provide input in time |
+| `external_action_timeout` | Push notification or app approval wasn't completed in time |
+| `max_steps_exceeded` | Login flow exceeded the maximum step count |
 
-- Invalid credentials
-- Bot detection blocking the login page
-- CAPTCHAs that couldn't be solved
+Timeouts (`awaiting_input_timeout`, `external_action_timeout`) are recoverable — start a new login session to retry.
 
 ## Can I use Managed Auth with any website?
 
-Managed Auth works with most websites. Sites with aggressive bot detection may require additional configuration (stealth mode, proxies). Passkeys and hardware security keys are not currently supported.
+Managed Auth works with most websites. The CUA-based agent visually navigates login pages, which makes it more resilient to different page layouts and complex flows than traditional DOM-based approaches. Sites with aggressive bot detection may require additional configuration (stealth mode, proxies). Passkeys and hardware security keys are not currently supported.
+
+## Can I update a connection after creating it?
+
+Yes. Use the update endpoint to change configuration without recreating the connection:
+
+<CodeGroup>
+```typescript TypeScript
+await kernel.auth.connections.update(auth.id, {
+  login_url: 'https://example.com/signin',
+  health_check_interval: 900,
+  allowed_domains: ['example.com', 'accounts.google.com'],
+});
+```
+
+```python Python
+await kernel.auth.connections.update(
+    auth.id,
+    login_url="https://example.com/signin",
+    health_check_interval=900,
+    allowed_domains=["example.com", "accounts.google.com"],
+)
+```
+</CodeGroup>
+
+All fields are optional — only provided fields are changed.
 
 ## How is Managed Auth billed?
 

diff --git a/profiles/managed-auth/hosted-ui.mdx b/profiles/managed-auth/hosted-ui.mdx
@@ -131,7 +131,7 @@ Managed Auth Connections are generated using Kernel's [stealth](/browsers/bot-de
 </Info>
 
 
-## Complete Example
+## Complete example
 
 <CodeGroup>
 ```typescript TypeScript
@@ -204,17 +204,17 @@ if state.status == "AUTHENTICATED":
 ```
 </CodeGroup>
 
-## Adding Features
+## Adding features
 
 The basic flow above gets you started. Add these features as needed:
 
-### Credentials and Auto-Reauth
+### Credentials and auto-reauth
 
 Credentials are saved after every successful login, enabling automatic re-authentication when the session expires. One-time codes (TOTP, SMS, etc.) are not saved.
 
 To opt out of credential saving, set `save_credentials: false` when creating the connection. See [Credentials](/profiles/credentials) for more on automated authentication.
 
-### Custom Login URL
+### Custom login URL
 
 If the site's login page isn't at the default location, specify it when creating the connection:
 
@@ -236,7 +236,7 @@ auth = await kernel.auth.connections.create(
 ```
 </CodeGroup>
 
-### SSO/OAuth Support
+### SSO/OAuth support
 
 Sites with "Sign in with Google/GitHub/Microsoft" are supported. The user completes the OAuth flow with the provider, and the authenticated session is automatically saved to the Kernel profile.
 
@@ -260,9 +260,48 @@ auth = await kernel.auth.connections.create(
 ```
 </CodeGroup>
 
-### Post-Login URL
+### Health check interval
 
-After successful authentication, `post_login_url` will be set to the page where the login landed. Use this start your automation from the right place:
+Configure how often Kernel checks that the login session is still valid:
+
+<CodeGroup>
+```typescript TypeScript
+const auth = await kernel.auth.connections.create({
+  domain: 'example.com',
+  profile_name: 'my-profile',
+  health_check_interval: 900, // 15 minutes (300–86400 seconds)
+});
+```
+
+```python Python
+auth = await kernel.auth.connections.create(
+    domain="example.com",
+    profile_name="my-profile",
+    health_check_interval=900,  # 15 minutes (300–86400 seconds)
+)
+```
+</CodeGroup>
+
+You can also update the health check interval on an existing connection:
+
+<CodeGroup>
+```typescript TypeScript
+await kernel.auth.connections.update(auth.id, {
+  health_check_interval: 600, // 10 minutes
+});
+```
+
+```python Python
+await kernel.auth.connections.update(
+    auth.id,
+    health_check_interval=600,  # 10 minutes
+)
+```
+</CodeGroup>
+
+### Post-login URL
+
+After successful authentication, `post_login_url` will be set to the page where the login landed. Use this to start your automation from the right place:
 
 <CodeGroup>
 ```typescript TypeScript

diff --git a/profiles/managed-auth/overview.mdx b/profiles/managed-auth/overview.mdx
@@ -3,17 +3,15 @@ title: "Overview"
 description: "Create authenticated browser sessions for your automations"
 ---
 
-<Note>
-  Managed Auth is currently in public beta. Features are subject to change.
-</Note>
-
 Managed Auth creates and maintains authenticated browser profiles for your AI agents and web automations. Store credentials once, and Kernel re-authenticates automatically when needed. When you launch a browser with the managed profile, you're already logged in and ready to go.
 
-## How It Works
+Managed Auth uses a Computer Use Agent (CUA) under the hood — an AI that visually navigates login pages using screenshots, just like a human would. This means it handles complex login flows automatically: multi-step logins, popups, CAPTCHAs, and account selection screens.
+
+## How it works
 
 <Steps>
   <Step title="Create a Connection">
-    A **Managed Auth Connection** links a profile to a website domain. Create one for each domain + profile combination you want to keep authenticated.
+    A **Managed Auth Connection** associates a profile to a website domain. Create one for each domain + profile combination you want to keep authenticated.
 
 <CodeGroup>
 ```typescript TypeScript
@@ -33,7 +31,7 @@ auth = await kernel.auth.connections.create(
   </Step>
   <Step title="Start a Login Session">
     A **Managed Auth Session** is the corresponding login flow for the specified connection. Users provide credentials via a Kernel-hosted page or your own UI.
-   
+
     Specify a [Credential](/profiles/credentials) to enable re-authentication without user input.
 
 <CodeGroup>
@@ -101,7 +99,7 @@ await page.goto("https://netflix.com")
   </Step>
 </Steps>
 
-## Choose Your Integration
+## Choose your integration
 
 <CardGroup cols={2}>
   <Card title="Hosted UI" icon="browser" href="/profiles/managed-auth/hosted-ui">
@@ -112,7 +110,7 @@ await page.goto("https://netflix.com")
   <Card title="Programmatic" icon="code" href="/profiles/managed-auth/programmatic">
     **Full control** - Custom UI or headless
 
-    Build your own credential collection. Handle login fields, SSO buttons, MFA selection, and external actions (push notifications, security keys).
+    Build your own credential collection. Handle login fields, SSO buttons, MFA selection, sign-in options, and external actions (push notifications, security keys).
   </Card>
 </CardGroup>
 
@@ -121,12 +119,39 @@ await page.goto("https://netflix.com")
 
 The most valuable workflows live behind logins. Managed Auth provides:
 
-- **Works on any website** - Login pages are discovered and handled automatically
-- **SSO/OAuth support** - "Sign in with Google/GitHub/Microsoft" buttons work out-of-the-box via `allowed_domains`
-- **2FA/OTP handling** - TOTP codes automated, SMS/email/push OTP are supported
-- **Post-login URL** - Get the URL where login landed (`post_login_url`) so you can start automations from the right page
-- **Session monitoring** - Automatic re-authentication when sessions expire with stored credentials
-- **Secure by default** - Credentials encrypted at rest, never exposed in API responses, or passed to LLMs
+- **Works on any website** — The CUA visually navigates login pages, handling complex flows including multi-step logins, popups, and account selection screens
+- **SSO/OAuth support** — "Sign in with Google/GitHub/Microsoft" buttons work out-of-the-box via `allowed_domains`
+- **2FA/OTP handling** — TOTP codes automated, SMS/email/push OTP supported
+- **Post-login URL** — Get the URL where login landed (`post_login_url`) so you can start automations from the right page
+- **Session monitoring** — Automatic re-authentication when sessions expire with stored credentials
+- **Health checks** — Periodic verification that login sessions are still valid, with configurable intervals
+- **Secure by default** — Credentials encrypted at rest, never exposed in API responses, or passed to LLMs
+- **Learns from experience** — The CUA generates reusable skills from successful logins, making subsequent logins faster and more reliable
+
+## Updating a connection
+
+After creating a connection, you can update its configuration without recreating it:
+
+<CodeGroup>
+```typescript TypeScript
+const updated = await kernel.auth.connections.update(auth.id, {
+  login_url: 'https://netflix.com/login',
+  health_check_interval: 900, // 15 minutes
+  allowed_domains: ['netflix.com', 'accounts.google.com'],
+});
+```
+
+```python Python
+updated = await kernel.auth.connections.update(
+    auth.id,
+    login_url="https://netflix.com/login",
+    health_check_interval=900,  # 15 minutes
+    allowed_domains=["netflix.com", "accounts.google.com"],
+)
+```
+</CodeGroup>
+
+All fields are optional — only provided fields are changed. The `health_check_interval` update takes effect immediately without restarting the connection.
 
 ## Security