kernel-auth
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseKernel Auth Skill
Kernel Auth Skill
Setup and manage Kernel managed authentication connections for any website with safety checks and reauthentication support.
为任意网站设置和管理Kernel托管的认证连接,包含安全检查和重新认证支持。
Quick Start
快速开始
bash
kernel-auth setup gmailThen visit the URL printed to complete login.
Works for any website — See Using Custom Domains for any other site.
Usage
使用方法
bash
kernel-auth setup <service> [--profile-name <name>]bash
kernel-auth setup <service> [--profile-name <name>]Built-in Services
内置服务
- → gmail.com
gmail - → github.com
github - → outlook.com
outlook
- → gmail.com
gmail - → github.com
github - → outlook.com
outlook
Using Custom Domains
使用自定义域名
For any other website, use the flag:
--domainbash
kernel-auth setup --domain amazon.com --profile-name amazon-main
kernel-auth setup --domain linkedin.com
kernel-auth setup --domain example.com --profile-name custom-site对于其他任意网站,使用参数:
--domainbash
kernel-auth setup --domain amazon.com --profile-name amazon-main
kernel-auth setup --domain linkedin.com
kernel-auth setup --domain example.com --profile-name custom-siteExamples
示例
bash
kernel-auth setup gmail
kernel-auth setup github --profile-name github-work
kernel-auth setup outlookbash
kernel-auth setup gmail
kernel-auth setup github --profile-name github-work
kernel-auth setup outlookAuthentication Flow
认证流程
- Create auth connection — Sets up a managed auth profile (domain + profile name)
- Initiate login session — Generates a hosted login URL
- You visit URL — Complete the login flow on your device/browser
- Login state stored in profile — Kernel saves your authenticated session
- Use authenticated browser — Create browser sessions with that profile, automatically logged in
- 创建认证连接 — 设置托管的认证配置文件(域名 + 配置文件名)
- 启动登录会话 — 生成托管登录URL
- 访问URL — 在你的设备/浏览器中完成登录流程
- 登录状态存储到配置文件 — Kernel保存你的已认证会话
- 使用已认证浏览器 — 使用该配置文件创建浏览器会话,自动完成登录
Key Concepts
核心概念
Auth Connections
认证连接
- Each connection ties a service domain to a profile name
- Connections can be reused for multiple browser sessions
- Status: (user completed login, state stored) or
AUTHENTICATED(never logged in or login session expired)NEEDS_AUTH
- 每个连接将服务域名与配置文件名绑定
- 连接可重复用于多个浏览器会话
- 状态:(用户完成登录,状态已存储)或
AUTHENTICATED(从未登录或登录会话已过期)NEEDS_AUTH
Login Sessions
登录会话
- Login sessions (the hosted URL) expire after a generous timeframe as cleanup
- If you don't complete login within that window, the session is deleted
- The connection itself stays — just initiate a new login session
Check connection status:
bash
kernel auth connections list # Check status
kernel auth connections get <id> # Get connection detailsIf a connection shows :
NEEDS_AUTHbash
kernel-auth setup <service> # Re-initiate login session with fresh URL- 登录会话(托管URL)会在一段时间后过期并清理
- 如果未在该时间窗口内完成登录,会话将被删除
- 连接本身会保留 — 只需重新启动新的登录会话
检查连接状态:
bash
kernel auth connections list # 检查状态
kernel auth connections get <id> # 获取连接详情如果连接状态显示:
NEEDS_AUTHbash
kernel-auth setup <service> # 重新启动登录会话以获取新URLWhy Manual URL Visit?
为什么需要手动访问URL?
- Login sessions are time-bound — If you don't visit within the window, they expire (cleanup)
- Prevent auto-opening — Avoid Telegram/email clients accidentally consuming the link
- Control is yours — You visit the URL when you're ready
- 登录会话有时间限制 — 如果未在窗口内访问,会话会过期(自动清理)
- 防止自动打开 — 避免Telegram/邮件客户端意外消耗链接
- 控制权在你手中 — 你可以在准备好时再访问URL
Checking Status
状态检查
bash
undefinedbash
undefinedList all auth connections
列出所有认证连接
kernel auth connections list -o json
kernel auth connections list -o json
Check specific connection
检查特定连接
kernel auth connections get <connection-id> -o json | jq '.status'
undefinedkernel auth connections get <connection-id> -o json | jq '.status'
undefinedUsing Authenticated Browsers
使用已认证浏览器
Once auth is connected, create browser sessions with that profile:
bash
undefined完成认证连接后,使用该配置文件创建浏览器会话:
bash
undefinedCreate browser with Gmail auth already loaded
创建已加载Gmail认证的浏览器
kernel browser create --profile-name gmail-main --stealth -o json
kernel browser create --profile-name gmail-main --stealth -o json
Browser will be logged into Gmail automatically
浏览器将自动登录Gmail
undefinedundefinedImportant Notes
重要说明
⚠️ Profile Deletion = Cascade Delete
⚠️ 配置文件删除 = 级联删除
Deleting a Kernel profile deletes ALL connections attached to it:
bash
kernel profile delete gmail-main # Deletes ALL gmail-main connectionsUse sparingly. Better to refresh auth than delete and recreate.
删除Kernel配置文件会删除所有与其关联的连接:
bash
kernel profile delete gmail-main # 删除所有gmail-main相关连接请谨慎使用。刷新认证比删除重建更合适。
🔗 Telegram & Link Previews
🔗 Telegram与链接预览
If you send auth URLs via Telegram, disable link previews in settings:
- Settings → Privacy & Security → Link Preview → Never show
Otherwise Telegram auto-opens the URL and consumes the code.
如果通过Telegram发送认证URL,请在设置中禁用链接预览:
- 设置 → 隐私与安全 → 链接预览 → 从不显示 否则Telegram会自动打开URL并消耗验证码。
🌐 Network Requirements
🌐 网络要求
Kernel auth requires:
- Outbound HTTPS to Kernel's managed auth service
- Browser with JavaScript enabled
- Cookie/session storage support
Kernel认证需要:
- 可访问Kernel托管认证服务的HTTPS出站连接
- 启用JavaScript的浏览器
- 支持Cookie/会话存储
Scripts
脚本功能
- — Create connection, generate login URL, display instructions
setup - No background watchers — You control when/if you visit the URL
- — 创建连接、生成登录URL、显示操作说明
setup - 无后台监控程序 — 由你控制是否以及何时访问URL
Troubleshooting
故障排除
"Code already used"
"Code already used"(验证码已被使用)
The auth code was consumed. This happens if:
- You visited the URL twice
- Telegram/email client auto-opened it
- Someone else completed the login first
Solution: Run again to get a fresh code.
kernel-auth setup <service>认证验证码已被消耗。可能的原因:
- 你两次访问了该URL
- Telegram/邮件客户端自动打开了它
- 其他人先完成了登录
解决方法:重新运行以获取新的验证码。
kernel-auth setup <service>"Code expired"
"Code expired"(验证码已过期)
Codes expire after ~40 minutes. Re-run setup to generate a new one.
验证码约40分钟后过期。重新运行setup命令生成新验证码。
"Connection not found"
"Connection not found"(连接未找到)
The connection may have been deleted. Run setup again to create it.
连接可能已被删除。重新运行setup命令创建新连接。
Auth Status is NEEDS_AUTH
认证状态为NEEDS_AUTH
You didn't complete the login within the session window, or you need to re-authenticate. Re-initiate login:
bash
kernel-auth setup gmail你未在会话窗口内完成登录,或者需要重新认证。重新启动登录:
bash
kernel-auth setup gmailIntegration with OpenClaw
与OpenClaw集成
The auth skill integrates with OpenClaw cron jobs:
- Cron job checks auth status before running
- If , proceeds with browser automation
AUTHENTICATED - If not, sends message requesting reauthentication
- User confirms, system re-runs auth flow
Example from GMAIL_DAILY_WORKFLOW.md:
bash
undefined该认证技能可与OpenClaw定时任务集成:
- 定时任务在运行前检查认证状态
- 如果状态为,继续执行浏览器自动化
AUTHENTICATED - 如果不是,发送消息请求重新认证
- 用户确认后,系统重新执行认证流程
来自GMAIL_DAILY_WORKFLOW.md的示例:
bash
undefinedDaily cron checks this before scraping
每日定时任务在抓取前检查此状态
AUTH_STATUS=$(kernel auth connections list -o json | jq -r ".[] | select(.domain == "gmail.com") | .status")
if [ "$AUTH_STATUS" != "AUTHENTICATED" ]; then
echo "Reauthentication needed"
exit 1
fi
undefinedAUTH_STATUS=$(kernel auth connections list -o json | jq -r ".[] | select(.domain == "gmail.com") | .status")
if [ "$AUTH_STATUS" != "AUTHENTICATED" ]; then
echo "需要重新认证"
exit 1
fi
undefinedAdvanced
高级用法
Programmatic Auth Check
程序化认证检查
bash
undefinedbash
undefinedGet auth status
获取认证状态
kernel auth connections list -o json | jq '.[] | {id, status, domain}'
kernel auth connections list -o json | jq '.[] | {id, status, domain}'
Delete and recreate
删除并重建
kernel profile delete gmail-main --yes
kernel-auth setup gmail
undefinedkernel profile delete gmail-main --yes
kernel-auth setup gmail
undefinedMultiple Accounts
多账户管理
Create separate profiles for each account:
bash
kernel-auth setup gmail --profile-name gmail-personal
kernel-auth setup gmail --profile-name gmail-workThen use the appropriate profile when creating browsers:
bash
kernel browser create --profile-name gmail-work --stealth为每个账户创建独立的配置文件:
bash
kernel-auth setup gmail --profile-name gmail-personal
kernel-auth setup gmail --profile-name gmail-work然后在创建浏览器时使用对应的配置文件:
bash
kernel browser create --profile-name gmail-work --stealth