Introduction

Auth sessions in Intuned allow you to add authentication to any browser automation task. This includes creating authenticated scrapers, automated RPA processes, or building authenticated integrations when APIs are not available.

Intuned’s auth sessions come with features that handle common authentication challenges, such as: securing credentials, solving challenges, proxy support, and more!

Use cases

Scrapers

Build authenticated scrapers that capture data from authenticated websites.

Social media

Build LinkedIn integration to automate GTM tasks on behalf of your users.

E-commerce

Automate back-office workflows like order fulfillment, adjustments, and tracking.

Travel and accommodations

Automate reservation processes for flights, hotels, restaurants, and more.

Auth session types

Intuned offers two types of auth sessions. Its important to understand the differences between the two types to pick the right one for your use case.

Credentials-based auth Sessions

These auth sessions are created when users provide credentials to run a browser automation code that completes the authentication workflow. The credentials are also stored and when the session expires Intuned will attempt to re-authenticate with the saved credentials. From a developer point of view, the developer needs to write the authentication code but everything else is handled by Intuned. The auth session will continue to be active as long as the credentials are valid. This should be the default choice for using auth sessions in Intuned.

Unique characteristics:

  • Requires providing credentials to create the auth session
  • Requires Intuned to persist the credentials
  • Allows for longer-lasting sessions, as they can be refreshed programmatically
  • Developer needs to write the authentication code

Recorder-based auth sessions

Recorder-based auth sessions are created by asking the user to authenticate on a browser and then capturing the authenticated session (cookies, sessions, local storage). Recorder-based auth session allows sharing access without providing credentials. The developer has to provide some info about how the authentication works on the targeted website and Intuned will handle the rest. Creating an auth session here requires the user to be present and to authenticate to a browser session. The auth session will expire when the user’s session on the targeted website expires. When the session expires, the user must be present to re-authenticate. This type should be used when the user is not comfortable sharing their credentials or with services that have a long session time - a typical example here is LinkedIn auth.

Unique characteristics:

  • Does not require users to share their credentials
  • Does not require Intuned to persist the credentials
  • Has a session lifetime that is dependent on the target service and typically bound to the user’s original session duration
  • Developer needs to provide some info about how the authentication works on the targeted website (start url, auth final url)

Common features

Credentials-based and recorder-based auth sessions share the common key features including:

  • lifecycle management via API or UI
  • proxy support: ensure actions are coming from the same IP
  • monitoring support
  • Jobs and Queues support

Picking the right auth session type to use

Prior to starting with auth sessions, you must decide on which type you want to use for your use case, some useful questions to ask yourself:

  • Are you authenticating into a target services to complete actions on behalf of your users?
  • Are you authenticating into a target service on behalf of your own company to automate back-office tasks?
  • Are your users comfortable sharing their credentials to access the target service?
  • How frequently would your users require actions to be completed on their behalf on the target service? Are they daily/weekly scheduled tasks or on demand tasks?
  • How long can you stay signed in to the target service before being prompted to enter your credentials again?
  • Does the target service prompt for two factor authentication when requests are coming from a new device or new location or new browser? Do you need to use proxies with Auth Sessions?

To determine which auth session to use you can refer to the flow chart below:

No

Yes

Yes

No

Yes

No

Yes

No

Need to build an integration
to act onbehalf of a user?

Auth session not required

User require actions to be
completed on their behalf
very frequently?
i.e pull data daily

Can user remain signed in
for a long time on the
same device/browser once
signed in? i.e like LinkedIn

Is user comfortable
sharing credentials?

Utilize API auth session

Utilize Recorder auth session

Auth session lifecycle

One of the important aspects of dealing with auth sessions is understanding the session lifecycle: when the session has expired and recovering from that. Intuned asks developers to implement a check function (inside a check.ts file) this function should return a boolean (true/false) that indicates if the session is still valid or not. This function is called before executing any authenticated action (API). If the function returns false, Intuned will attempt to re-authenticate the session using the saved credentials (for Credentials-based auth sessions) or mark the session as expired (for Recorder-based auth sessions).

Credentials-based auth sessions lifecycle

  • When created, the session is marked as active.
  • Before executing any API call, the check.ts function is called. If the function returns false, Intuned will attempt to re-authenticate the session using the saved credentials. This is done by calling the refresh.ts API using the saved credentials.
  • If the refresh.ts API fails, the session is marked as expired. Any further APIs that use this session will fail with 401 status code.
  • The session state can be checked using the get session API.
  • The session can be updated using the update session API - this API requires the credentials to be passed in the body - for more info check: update auth session - Start, update auth session - resume and update auth session - result.
  • Any Job or Queue that uses the auth session will be paused when the auth session is marked as expired.

Recorder-based auth sessions lifecycle

  • When created, the session is marked as active.
  • Before executing any API call, the check.ts function is called. If the function returns false, the session is marked as expired.
  • The session state can be checked using the get session API.
  • The session can be updated - however, this process requires the user to be present to re-authenticate.
  • Any Job or Queue that uses the auth session will be paused when the auth session is marked as expired.

Managing auth sessions

Auth sessions can be managed via the Intuned UI or via the API.

  • The UI provides a simple way to create, update, and delete auth sessions. This is typically used when you are building an authenticated scraper or doing back-office automation with a limited set of auth sessions.

Auth Session UI Management

  • The API provides a way to manage auth sessions programmatically. This is typically used when you are building an integration that has no APIs and you want to automate actions on behalf of your users (you need to provide credentials). Building a LinkedIn integration is a good example here. For API docs, you can look at the Auth Sessions API reference.

Learn more

Developing with auth sessions

Learn how to develop auth sessions

Consuming with auth sessions

Learn how to consume auth sessions at scale