Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From intuned
Handles authentication in Intuned projects: login flows, auth session lifecycle, credential parameters, and programmatic login with TOTP 2FA. Load when the task involves logging into a protected site or handling gated content.
How this skill is triggered — by the user, by Claude, or both
Slash command
/intuned:auth-sessionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Authentication in Intuned is handled through auth sessions — the capability of logging into a protected site once, preserving that browser state, and reusing it across API runs. A project includes auth sessions only when its target website sits behind a login wall.
resources/auth-sessions-as-code.mdresources/first-time-authentication.mdresources/handling-2fa.mdresources/python/writing-create-and-check-apis.mdresources/running-auth-apis.mdresources/typescript/writing-create-and-check-apis.mdscripts/create-auth-sessions.shscripts/generate-2fa-code.shscripts/list-credentials.shAuthentication in Intuned is handled through auth sessions — the capability of logging into a protected site once, preserving that browser state, and reusing it across API runs. A project includes auth sessions only when its target website sits behind a login wall.
Two-factor-auth is not supported in Intuned, because in browser-automation, we are writing an automation that will be automated and run on its own, without the user's attendance. So if the auth-session requires a 2FA, Email/SMS verifcation codes, or anything that requires a user input, then it should be rejected because the user will not be able to provide this code when the automation runs.
You should always reject if the website requires real-time user input to proceed, you can't write a plan or generate a code if the website can't be logged in programatically (i.e using playwright code).
There is only One exception to this, TOTP tokens. If the user is using TOTP 2fa, and has the secret token to his TOTP app,
then you can generate the code with otpauth (TypeScript) or pyotp (Python) using the user's secret token and generate a TOTP code and fill it during login. See /intuned-agent-plugin/skills/auth-sessions/resources/handling-2fa.md. If the user can't provide a secret/token, stop and tell them to contact [email protected], don't ask the user to type codes manually.
Auth sessions preserve browser state (cookies, localStorage, sessionStorage) after a successful login. Two APIs run the lifecycle, placed in special auth-sessions directory in the project root (not inside api/):
auth-sessions/create (.py or .ts) — Login flow. Receives credentials as parameters, logs in, verifies success. Runtime captures browser state afterward.auth-sessions/check (.py or .ts) — Validation. Loads stored state, navigates to a protected page, returns a boolean indicating whether the session is still valid.Intuned manages auth sessions automatically, so API code never handles login itself:
create runs with credentials, logs in, and the runtime captures and saves the browser state.check validates the session; if invalid, create recreates it; then the API runs with the authenticated browser state injected automatically.Auth session APIs are not run like normal APIs — Intuned has dedicated CLI commands for running them and managing their lifecycle. Read resources/running-auth-apis.md for the commands.
Credentials are stored as JSON parameter files at .parameters/auth-sessions/create/{name}.json (e.g. default.json, admin.json). Each file contains the key-value pairs for that login and is passed to the auth-sessions/create API as input parameters.
To collect credentials, do NOT ask the user to paste them into the chat — you must never see the secret values. Instead, write the file yourself with the login form's field names (e.g. username/password) and empty placeholder values, then ask the user to open the file and fill in the real values directly. Example to write:
{ "username": "", "password": "" }
Then tell the user the path and ask them to fill it in (not in chat — you won't read it back), and wait for them to confirm before running the auth session. Check the list script first — if a credential file already exists with the right fields, assume it's filled and don't recreate it. Never echo stored secrets back; the same care applies to auth-sessions-instances/, which stores browser state.
Run this skill's bundled scripts/list-credentials.sh — the path is relative to this skill's own directory (resolve it against the skill's base directory shown when the skill loads), and run it with the project root as the working directory:
scripts/list-credentials.sh
Returns credential file names and their field names (e.g. username, password) without exposing any values.
Auth sessions are enabled by setting two flags together in Intuned.json:
{
"apiAccess": { "enabled": true },
"authSessions": { "enabled": true, "type": "API" }
}
Both are required together — type: "API" is mandatory when enabled: true, and apiAccess must also be enabled. Once set, all API runs require --auth-session <id>, even APIs that don't touch login.
Auth restores cookies and storage, but page.context.request and similar must match a successful browser request for that site. Don’t assume one CSRF pattern (e.g. cookie + X-Requested-With: XMLHttpRequest) without checking — tokens may live in storage or need different headers.
intuned-agent/tab_${tabId}/network/: same URL, method, body, and auth headers. User cURL is often incomplete.page.evaluate checks on document.cookie / localStorage / sessionStorage. Don’t log secrets.Each task has a dedicated resource that holds the exact CLI commands and function signatures — read the relevant one before acting, since guessing produces wrong CLI commands and wrong signatures:
resources/first-time-authentication.mdIntuned.json (above), then follow first-time-authentication if you still need to log in manually--auth-session <id>resources/running-auth-apis.mdcreate or check → the guide for your language:
resources/python/writing-create-and-check-apis.mdresources/typescript/writing-create-and-check-apis.md/intuned-agent-plugin/skills/auth-sessions/resources/handling-2fa.md.auth-session.json resource files → resources/auth-sessions-as-code.mdpage.context.request) → see Authenticated backend calls aboveFor more info, search the Intuned docs using the search_intuned and query_docs_filesystem_intuned tools.
npx claudepluginhub intuned/skillsCreates bite-sized, testable implementation plans from specs or requirements, with file structure and task decomposition. Activates before coding multi-step tasks.