kernel-auth

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Kernel Auth Skill

Setup and manage Kernel managed authentication connections for any website with safety checks and reauthentication support.

为任意网站设置和管理Kernel托管的认证连接，包含安全检查和重新认证支持。

Quick Start

快速开始

bash

kernel-auth setup gmail

Then visit the URL printed to complete login.

Works for any website — See Using Custom Domains for any other site.

bash

kernel-auth setup gmail

然后访问打印出的URL完成登录。

支持任意网站 — 如需其他站点，请查看使用自定义域名部分。

Usage

使用方法

bash

kernel-auth setup <service> [--profile-name <name>]

bash

kernel-auth setup <service> [--profile-name <name>]

Built-in Services

内置服务

```
gmail
```
→ gmail.com
```
github
```
→ github.com
```
outlook
```
→ outlook.com

```
gmail
```
→ gmail.com
```
github
```
→ github.com
```
outlook
```
→ outlook.com

Using Custom Domains

使用自定义域名

For any other website, use the

--domain

flag:

bash

kernel-auth setup --domain amazon.com --profile-name amazon-main
kernel-auth setup --domain linkedin.com
kernel-auth setup --domain example.com --profile-name custom-site

对于其他任意网站，使用

--domain

参数：

bash

kernel-auth setup --domain amazon.com --profile-name amazon-main
kernel-auth setup --domain linkedin.com
kernel-auth setup --domain example.com --profile-name custom-site

Examples

示例

bash

kernel-auth setup gmail
kernel-auth setup github --profile-name github-work
kernel-auth setup outlook

bash

kernel-auth setup gmail
kernel-auth setup github --profile-name github-work
kernel-auth setup outlook

Authentication Flow

认证流程

Create auth connection — Sets up a managed auth profile (domain + profile name)
Initiate login session — Generates a hosted login URL
You visit URL — Complete the login flow on your device/browser
Login state stored in profile — Kernel saves your authenticated session
Use authenticated browser — Create browser sessions with that profile, automatically logged in

创建认证连接 — 设置托管的认证配置文件（域名 + 配置文件名）
启动登录会话 — 生成托管登录URL
访问URL — 在你的设备/浏览器中完成登录流程
登录状态存储到配置文件 — Kernel保存你的已认证会话
使用已认证浏览器 — 使用该配置文件创建浏览器会话，自动完成登录

Key Concepts

核心概念

Auth Connections

认证连接

Each connection ties a service domain to a profile name
Connections can be reused for multiple browser sessions
Status:
```
AUTHENTICATED
```
(user completed login, state stored) or
```
NEEDS_AUTH
```
(never logged in or login session expired)

每个连接将服务域名与配置文件名绑定
连接可重复用于多个浏览器会话
状态：
```
AUTHENTICATED
```
（用户完成登录，状态已存储）或
```
NEEDS_AUTH
```
（从未登录或登录会话已过期）

Login Sessions

登录会话

Login sessions (the hosted URL) expire after a generous timeframe as cleanup
If you don't complete login within that window, the session is deleted
The connection itself stays — just initiate a new login session

Check connection status:

bash

kernel auth connections list  # Check status
kernel auth connections get <id>  # Get connection details

If a connection shows

NEEDS_AUTH

bash

kernel-auth setup <service>  # Re-initiate login session with fresh URL

登录会话（托管URL）会在一段时间后过期并清理
如果未在该时间窗口内完成登录，会话将被删除
连接本身会保留 — 只需重新启动新的登录会话

检查连接状态：

bash

kernel auth connections list  # 检查状态
kernel auth connections get <id>  # 获取连接详情

如果连接状态显示

NEEDS_AUTH

：

bash

kernel-auth setup <service>  # 重新启动登录会话以获取新URL

Why Manual URL Visit?

为什么需要手动访问URL？

Login sessions are time-bound — If you don't visit within the window, they expire (cleanup)
Prevent auto-opening — Avoid Telegram/email clients accidentally consuming the link
Control is yours — You visit the URL when you're ready

登录会话有时间限制 — 如果未在窗口内访问，会话会过期（自动清理）
防止自动打开 — 避免Telegram/邮件客户端意外消耗链接
控制权在你手中 — 你可以在准备好时再访问URL

Checking Status

状态检查

bash

undefined

bash

undefined

List all auth connections

列出所有认证连接

kernel auth connections list -o json

Check specific connection

检查特定连接

kernel auth connections get <connection-id> -o json | jq '.status'

undefined

kernel auth connections get <connection-id> -o json | jq '.status'

undefined

Using Authenticated Browsers

使用已认证浏览器

Once auth is connected, create browser sessions with that profile:

bash

undefined

完成认证连接后，使用该配置文件创建浏览器会话：

bash

undefined

Create browser with Gmail auth already loaded

创建已加载Gmail认证的浏览器

kernel browser create --profile-name gmail-main --stealth -o json

Browser will be logged into Gmail automatically

浏览器将自动登录Gmail

undefined

undefined

Important Notes

重要说明

⚠️ Profile Deletion = Cascade Delete

⚠️ 配置文件删除 = 级联删除

Deleting a Kernel profile deletes ALL connections attached to it:

bash

kernel profile delete gmail-main  # Deletes ALL gmail-main connections

Use sparingly. Better to refresh auth than delete and recreate.

删除Kernel配置文件会删除所有与其关联的连接：

bash

kernel profile delete gmail-main  # 删除所有gmail-main相关连接

请谨慎使用。刷新认证比删除重建更合适。

🔗 Telegram & Link Previews

🔗 Telegram与链接预览

If you send auth URLs via Telegram, disable link previews in settings:

Settings → Privacy & Security → Link Preview → Never show

Otherwise Telegram auto-opens the URL and consumes the code.

如果通过Telegram发送认证URL，请在设置中禁用链接预览：

设置 → 隐私与安全 → 链接预览 → 从不显示否则Telegram会自动打开URL并消耗验证码。

🌐 Network Requirements

🌐 网络要求

Kernel auth requires:

Outbound HTTPS to Kernel's managed auth service
Browser with JavaScript enabled
Cookie/session storage support

Kernel认证需要：

可访问Kernel托管认证服务的HTTPS出站连接
启用JavaScript的浏览器
支持Cookie/会话存储

Scripts

脚本功能

```
setup
```
— Create connection, generate login URL, display instructions
No background watchers — You control when/if you visit the URL

```
setup
```
— 创建连接、生成登录URL、显示操作说明
无后台监控程序 — 由你控制是否以及何时访问URL

Troubleshooting

故障排除

"Code already used"

"Code already used"（验证码已被使用）

The auth code was consumed. This happens if:

You visited the URL twice
Telegram/email client auto-opened it
Someone else completed the login first

Solution: Run

kernel-auth setup <service>

again to get a fresh code.

认证验证码已被消耗。可能的原因：

你两次访问了该URL
Telegram/邮件客户端自动打开了它
其他人先完成了登录

解决方法：重新运行

kernel-auth setup <service>

以获取新的验证码。

"Code expired"

"Code expired"（验证码已过期）

Codes expire after ~40 minutes. Re-run setup to generate a new one.

验证码约40分钟后过期。重新运行setup命令生成新验证码。

"Connection not found"

"Connection not found"（连接未找到）

The connection may have been deleted. Run setup again to create it.

连接可能已被删除。重新运行setup命令创建新连接。

Auth Status is NEEDS_AUTH

认证状态为NEEDS_AUTH

You didn't complete the login within the session window, or you need to re-authenticate. Re-initiate login:

bash

kernel-auth setup gmail

你未在会话窗口内完成登录，或者需要重新认证。重新启动登录：

bash

kernel-auth setup gmail

Integration with OpenClaw

与OpenClaw集成

The auth skill integrates with OpenClaw cron jobs:

Cron job checks auth status before running
If
```
AUTHENTICATED
```
, proceeds with browser automation
If not, sends message requesting reauthentication
User confirms, system re-runs auth flow

Example from GMAIL_DAILY_WORKFLOW.md:

bash

undefined

该认证技能可与OpenClaw定时任务集成：

定时任务在运行前检查认证状态
如果状态为
```
AUTHENTICATED
```
，继续执行浏览器自动化
如果不是，发送消息请求重新认证
用户确认后，系统重新执行认证流程

来自GMAIL_DAILY_WORKFLOW.md的示例：

bash

undefined

Daily cron checks this before scraping

每日定时任务在抓取前检查此状态

AUTH_STATUS=$(kernel auth connections list -o json | jq -r ".[] | select(.domain == "gmail.com") | .status") if [ "$AUTH_STATUS" != "AUTHENTICATED" ]; then echo "Reauthentication needed" exit 1 fi

undefined

AUTH_STATUS=$(kernel auth connections list -o json | jq -r ".[] | select(.domain == "gmail.com") | .status") if [ "$AUTH_STATUS" != "AUTHENTICATED" ]; then echo "需要重新认证" exit 1 fi

undefined

Advanced

高级用法

Programmatic Auth Check

程序化认证检查

bash

undefined

bash

undefined

Get auth status

获取认证状态

kernel auth connections list -o json | jq '.[] | {id, status, domain}'

Delete and recreate

删除并重建

kernel profile delete gmail-main --yes kernel-auth setup gmail

undefined

kernel profile delete gmail-main --yes kernel-auth setup gmail

undefined

Multiple Accounts

多账户管理

Create separate profiles for each account:

bash

kernel-auth setup gmail --profile-name gmail-personal
kernel-auth setup gmail --profile-name gmail-work

Then use the appropriate profile when creating browsers:

bash

kernel browser create --profile-name gmail-work --stealth

为每个账户创建独立的配置文件：

bash

kernel-auth setup gmail --profile-name gmail-personal
kernel-auth setup gmail --profile-name gmail-work

然后在创建浏览器时使用对应的配置文件：

bash

kernel browser create --profile-name gmail-work --stealth