Kernia
Concepts

Users and Accounts

Manage users, linked accounts, passwords, email changes, and account deletion.

Kernia separates users from accounts. A user is the person in your application. An account is a credential source: email/password, a social provider, a passkey account, a phone credential, or another plugin-owned identity.

Update user profile

await fetch("http://localhost:8000/api/auth/update-user", {
  method: "POST",
  credentials: "include",
  headers: { "content-type": "application/json" },
  body: JSON.stringify({ name: "Ada Lovelace", image: "https://example.com/ada.png" }),
});
POST/api/auth/update-user

Updates mutable profile fields on the active user.

Change email

Email changes require an active session and should use verification when mailbox ownership matters.

POST/api/auth/change-email

Changes the active user's email according to configured verification rules.

Change password

POST/api/auth/change-password

Verifies the current password, hashes the new password, and can revoke other sessions.

Password updates should also rotate sensitive sessions in application code when your product requires it.

Delete user

POST/api/auth/delete-user

Deletes the active user and related sessions/accounts through the adapter.

Expose deletion behind confirmation UI and audit logging. For regulated SaaS products, coordinate deletion with billing, workspace ownership, and data retention policies.

Linked accounts

GET/api/auth/list-accounts

Lists credential and OAuth accounts linked to the active user.

POST/api/auth/unlink-account

Unlinks a provider account from the active user.

POST/api/auth/get-access-token

Returns a stored OAuth access token when present and not expired.

Account linking policy

from kernia.types.init_options import AccountLinkingOptions, AccountOptions

account=AccountOptions(
    account_linking=AccountLinkingOptions(
        enabled=True,
        trusted_providers=("google", "github"),
        allow_different_emails=False,
    ),
    encrypt_oauth_tokens=True,
)

Use trusted provider linking only for providers that verify email ownership. Do not automatically link unrelated emails unless your product has a separate proof step.

Settings page coverage

A proper SaaS settings page should use these APIs for profile editing, linked account display, session revocation, password changes, API keys, and security state. The UI should show unavailable providers as unavailable rather than treating missing credentials as a successful state.

Session Management

Create, read, update, revoke, cache, and secure Kernia sessions.

Apple

Configure Sign in with Apple for Kernia.

On this page

Update user profileChange emailChange passwordDelete userLinked accountsAccount linking policySettings page coverage