Update MCP docs for browser pool parity

Author: IlyaasK

docs.json

@@ -301,14 +301,20 @@
             "group": "Tools",
             "pages": [
               "reference/mcp-server/tools/manage-browsers",
-              "reference/mcp-server/tools/manage-profiles",
               "reference/mcp-server/tools/manage-browser-pools",
-              "reference/mcp-server/tools/manage-proxies",
-              "reference/mcp-server/tools/manage-extensions",
-              "reference/mcp-server/tools/manage-apps",
+              "reference/mcp-server/tools/browser-curl",
               "reference/mcp-server/tools/computer-action",
               "reference/mcp-server/tools/execute-playwright-code",
               "reference/mcp-server/tools/exec-command",
+              "reference/mcp-server/tools/manage-profiles",
+              "reference/mcp-server/tools/manage-proxies",
+              "reference/mcp-server/tools/manage-extensions",
+              "reference/mcp-server/tools/manage-apps",
+              "reference/mcp-server/tools/manage-projects",
+              "reference/mcp-server/tools/manage-api-keys",
+              "reference/mcp-server/tools/manage-auth-connections",
+              "reference/mcp-server/tools/manage-credentials",
+              "reference/mcp-server/tools/manage-credential-providers",
               "reference/mcp-server/tools/search-docs"
             ]
           },

reference/mcp-server.mdx

@@ -21,7 +21,7 @@ The server is a centrally hosted, authenticated remote MCP using OAuth 2.1 with
     Authorize access through your browser when prompted. See [Authentication](/reference/mcp-server/authentication) for OAuth and API key options.
   </Step>
   <Step title="Start automating">
-    Use the [tools](/reference/mcp-server/tools/manage-browsers) to launch browsers, run Playwright code, and invoke your apps.
+    Use the [tools](/reference/mcp-server/tools/manage-browsers) to launch browsers, warm browser pools, run Playwright code, invoke your apps, and manage auth workflows.
   </Step>
 </Steps>
 
@@ -38,7 +38,7 @@ The server is a centrally hosted, authenticated remote MCP using OAuth 2.1 with
     Setup for Claude, Cursor, VS Code, and more.
   </Card>
   <Card icon="wrench" title="Tools" href="/reference/mcp-server/tools/manage-browsers">
-    Browsers, profiles, proxies, apps, and more.
+    Browsers, pools, apps, projects, API keys, and managed auth.
   </Card>
   <Card icon="database" title="Resources" href="/reference/mcp-server/resources">
     Read browsers, pools, profiles, and apps.

reference/mcp-server/resources.mdx

@@ -3,11 +3,17 @@ title: "Resources"
 description: "Read browsers, pools, profiles, and apps as MCP resources"
 ---
 
-The Kernel MCP server exposes your account's objects as MCP resources. Each resource URI lists all items or returns a specific one.
+The Kernel MCP server exposes your account's objects as MCP resources. List URIs return collections, and templated URIs return one object.
 
 | Resource | Description |
 |----------|-------------|
-| `browsers://` | Access browser sessions (list all or get a specific session). |
-| `browser_pools://` | Access browser pools (list all or get a specific pool). |
-| `profiles://` | Access browser profiles (list all or get a specific profile). |
-| `apps://` | Access deployed apps (list all or get a specific app). |
+| `browsers://` | List browser sessions. |
+| `browsers://{session_id}` | Read one browser session. |
+| `browser-pools://` | List browser pools. |
+| `browser-pools://{id_or_name}` | Read one browser pool by ID or name. |
+| `profiles://` | List browser profiles. |
+| `profiles://{profile_name}` | Read one browser profile by name. |
+| `apps://` | List deployed apps. |
+| `apps://{app_name}` | Read one deployed app by name. |
+
+Use resources when your client needs read-only context. Use the matching `manage_*` tool when you need to create, update, delete, acquire, release, or invoke something.

reference/mcp-server/tools/browser-curl.mdx

@@ -0,0 +1,58 @@
+---
+title: "Browser Curl"
+description: "Send HTTP requests through an existing browser session"
+---
+
+Use `browser_curl` when an agent needs an HTTP request to behave like it came from an existing browser session. The request goes through the browser's Chrome network stack, so it can use the session's cookies, proxy, network context, and origin behavior.
+
+This is useful after a browser has logged in to a site and the agent needs a JSON endpoint, a redirect target, or a binary asset without writing Playwright code for the request.
+
+<Note>For documentation lookup or general web search, use `search_docs` or your agent's normal search tool instead.</Note>
+
+## Recommended flow
+
+1. Use `manage_browsers` or `manage_browser_pools` to get a browser with the right cookies, proxy, and profile.
+2. Call `browser_curl` with the returned `session_id`.
+3. Use `response_encoding: "base64"` when the response might be binary.
+4. Use `execute_playwright_code` instead when you need page JavaScript, DOM state, or user-visible navigation.
+
+## Parameters
+
+| Parameter | Description |
+|-----------|-------------|
+| `session_id` | Browser session ID. Required. |
+| `url` | Target `http` or `https` URL. Required. |
+| `method` | HTTP method: `GET`, `HEAD`, `POST`, `PUT`, `PATCH`, `DELETE`, or `OPTIONS`. Defaults to `GET`. |
+| `headers` | Custom headers merged with browser defaults. |
+| `body` | Request body for `POST`, `PUT`, or `PATCH` requests. |
+| `response_encoding` | Response body encoding: `utf8` or `base64`. Use `base64` for binary content. |
+| `timeout_ms` | Request timeout in milliseconds. Must be 1 or greater. |
+
+## Read an authenticated endpoint
+
+```json
+{
+  "session_id": "browser_2vDb5kRmZ4nP8xQ1cA7",
+  "url": "https://app.example.com/api/account",
+  "method": "GET",
+  "headers": {
+    "Accept": "application/json"
+  },
+  "timeout_ms": 10000
+}
+```
+
+## Post with browser cookies
+
+```json
+{
+  "session_id": "browser_2vDb5kRmZ4nP8xQ1cA7",
+  "url": "https://app.example.com/api/tasks",
+  "method": "POST",
+  "headers": {
+    "Content-Type": "application/json"
+  },
+  "body": "{\"title\":\"Run nightly checkout audit\"}",
+  "response_encoding": "utf8"
+}
+```

reference/mcp-server/tools/computer-action.mdx

@@ -1,18 +1,18 @@
 ---
-title: "computer_action"
-description: "Mouse, keyboard, and screenshot controls for browser sessions"
+title: "Computer Action"
+description: "Mouse, keyboard, clipboard, and screenshot controls for browser sessions"
 ---
 
-Execute computer actions on a browser session. Pass a single action for simple operations, or pass multiple actions to batch them into one request for lower latency.
+Use `computer_action` when an agent needs to interact with the browser like a user: click, type, scroll, drag, copy, paste, or inspect the screen. Pass one action for a simple operation, or batch several actions into one call to reduce latency.
 
-<Tip>Always include a `screenshot` as the last action so you can see the result. `screenshot` and `get_mouse_position` return data, so they must come last.</Tip>
+<Tip>Include a `screenshot` as the last action when you need to see the result. `screenshot`, `read_clipboard`, and `get_mouse_position` return data, so they must be the last action if included.</Tip>
 
 ## Parameters
 
 | Parameter | Description |
 |-----------|-------------|
 | `session_id` | Browser session ID. Required. |
-| `actions` | Ordered list of actions to perform. Required. |
+| `actions` | Ordered list of one or more actions to perform. Required. |
 
 ## Action types
 
@@ -26,10 +26,19 @@ Execute computer actions on a browser session. Pass a single action for simple o
 | `drag_mouse` | Drag along a `path` of `[x, y]` points. |
 | `set_cursor` | Show or hide the cursor (`hidden`). |
 | `sleep` | Wait `duration_ms` between steps when the page needs time to react. |
+| `write_clipboard` | Write `text` to the browser session clipboard. |
+| `read_clipboard` | Read the browser session clipboard. Must be the last action if included. |
 | `screenshot` | Capture the page, optionally limited to a `region`. |
 | `get_mouse_position` | Return the current cursor position. |
 
-## Example
+## Recommended flow
+
+1. Start with `screenshot` so the agent can see the viewport and coordinate space.
+2. Batch related pointer and keyboard actions together.
+3. Add `sleep` between actions that trigger navigation, animation, or async UI updates.
+4. End with `screenshot`, `read_clipboard`, or `get_mouse_position` only when you need returned data.
+
+## Search from the page
 
 ```json
 {
@@ -43,3 +52,18 @@ Execute computer actions on a browser session. Pass a single action for simple o
   ]
 }
 ```
+
+## Clipboard example
+
+```json
+{
+  "session_id": "browser_2vDb5kRmZ4nP8xQ1cA7",
+  "actions": [
+    { "type": "write_clipboard", "write_clipboard": { "text": "https://kernel.sh/docs" } },
+    { "type": "press_key", "press_key": { "keys": ["Ctrl+l"] } },
+    { "type": "press_key", "press_key": { "keys": ["Ctrl+v"] } },
+    { "type": "press_key", "press_key": { "keys": ["Return"] } },
+    { "type": "screenshot" }
+  ]
+}
+```

reference/mcp-server/tools/exec-command.mdx

@@ -1,9 +1,9 @@
 ---
-title: "exec_command"
+title: "Exec Command"
 description: "Run shell commands inside a browser VM"
 ---
 
-Execute a command synchronously inside a browser VM. Returns decoded stdout, stderr, and the exit code. The `command` field is the executable; pass its arguments in `args`.
+Use `exec_command` to execute a command synchronously inside a browser VM. It returns decoded stdout, stderr, and the exit code. The `command` field is the executable; pass its arguments in `args`.
 
 ## Parameters
 

reference/mcp-server/tools/execute-playwright-code.mdx

@@ -1,9 +1,9 @@
 ---
-title: "execute_playwright_code"
+title: "Execute Playwright Code"
 description: "Run Playwright/TypeScript code against a browser session"
 ---
 
-Execute Playwright/TypeScript automation code against a Kernel browser session. If `session_id` is provided, uses that existing browser; otherwise creates a new one. Returns the result with a video replay URL, and auto-cleans up browsers it creates.
+Use `execute_playwright_code` to run Playwright/TypeScript automation code against a Kernel browser session. If you provide `session_id`, it uses that existing browser. If you omit `session_id`, it creates a browser and cleans it up after execution.
 
 <Tip>Use `computer_action` with the `screenshot` action instead of `page.screenshot()` in your code. For a comprehensive page state snapshot, use `await page._snapshotForAI()`.</Tip>
 

reference/mcp-server/tools/manage-api-keys.mdx

@@ -0,0 +1,59 @@
+---
+title: "Manage API Keys"
+description: "Create, list, update, and revoke Kernel API keys"
+---
+
+Use `manage_api_keys` when an agent or automation workflow needs to provision, inspect, rename, or revoke Kernel API keys. Created keys include the plaintext secret once; later reads return masked key metadata.
+
+Create project-scoped keys for workloads that only need one project's resources. Use org-wide keys only when the workload needs access across projects.
+
+## Actions
+
+| Action | Description |
+|--------|-------------|
+| `create` | Create an org-wide or project-scoped API key. |
+| `list` | List masked API keys. |
+| `get` | Retrieve one masked API key. |
+| `update` | Rename an API key. |
+| `delete` | Revoke an API key. |
+
+## Recommended flow
+
+1. Call `list` before creating a key so you don't duplicate an existing workload key.
+2. Call `create` with `project_id` for project-scoped automation.
+3. Store the returned plaintext key immediately.
+4. Call `update` when a key's owner or purpose changes.
+5. Call `delete` to revoke keys for retired workloads.
+
+## Parameters
+
+| Parameter | Description |
+|-----------|-------------|
+| `action` | Operation to perform. Required. |
+| `api_key_id` | API key ID. Required for `get`, `update`, and `delete`. |
+| `name` | (create, update) API key name. |
+| `project_id` | (create) Project ID for project-scoped keys. Omit or use `null` for org-wide keys. |
+| `days_to_expire` | (create) Days until expiry, up to 3650. Use `null` for no expiry. |
+| `limit` | (list) Max results per page. Must be 1-100. |
+| `offset` | (list) Pagination offset. Must be 0 or greater. |
+
+## Create a project-scoped key
+
+```json
+{
+  "action": "create",
+  "name": "checkout-agent-prod",
+  "project_id": "proj_2vE0M7bLwX9kQ4nP3sY8",
+  "days_to_expire": 90
+}
+```
+
+## Rename a key
+
+```json
+{
+  "action": "update",
+  "api_key_id": "ak_2vE1qJ7ZpLm8N4cT6rW0",
+  "name": "checkout-agent-prod-rotated"
+}
+```

reference/mcp-server/tools/manage-apps.mdx

@@ -1,9 +1,9 @@
 ---
-title: "manage_apps"
+title: "Manage Apps"
 description: "List apps, invoke actions, and check deployments and invocations"
 ---
 
-Manage Kernel apps, deployments, and invocations.
+Use `manage_apps` when an agent needs to run a deployed Kernel app or inspect app deployment state. List apps first when the agent doesn't know the exact app or action name, then invoke the action and poll the invocation result.
 
 ## Actions
 
@@ -15,6 +15,13 @@ Manage Kernel apps, deployments, and invocations.
 | `list_deployments` | Check deployment status. |
 | `get_invocation` | Check action results. |
 
+## Recommended flow
+
+1. Call `list_apps` to discover available apps and actions.
+2. Call `invoke` with `app_name`, `action_name`, and a JSON-string `payload`.
+3. Call `get_invocation` with the returned invocation ID when you need the result later.
+4. Use `list_deployments` and `get_deployment` when the agent needs deployment status.
+
 ## Parameters
 
 | Parameter | Description |
@@ -26,10 +33,10 @@ Manage Kernel apps, deployments, and invocations.
 | `version` | (list_apps, invoke) App version filter. Defaults to `latest` for invoke. |
 | `deployment_id` | (get_deployment) Deployment ID to retrieve. |
 | `invocation_id` | (get_invocation) Invocation ID to retrieve. |
-| `limit` | (list_apps, list_deployments) Max results. Default 50. |
-| `offset` | (list_apps, list_deployments) Pagination offset. Default 0. |
+| `limit` | (list_apps, list_deployments) Max results per page. Must be 1-100. |
+| `offset` | (list_apps, list_deployments) Pagination offset. Must be 0 or greater. |
 
-## Example
+## Invoke an app
 
 ```json
 {

reference/mcp-server/tools/manage-auth-connections.mdx

@@ -0,0 +1,76 @@
+---
+title: "Manage Auth Connections"
+description: "Create and operate managed auth connections for browser profiles"
+---
+
+Use `manage_auth_connections` when you want Kernel to keep a browser profile logged in to a third-party site. A connection ties a domain to a profile, then drives login and re-auth flows with stored credentials, external provider credentials, or user-provided input.
+
+This tool is best for recurring workflows where the agent needs durable access to a site but the login flow can require MFA, SSO, or occasional user review.
+
+## Actions
+
+| Action | Description |
+|--------|-------------|
+| `create` | Start managing auth for a profile and domain. |
+| `list` | List auth connections. |
+| `get` | Poll one connection or login flow state. |
+| `delete` | Remove an auth connection. |
+| `login` | Begin a login flow. Returns a hosted URL and live view URL. |
+| `submit` | Submit discovered field values, an MFA option, or an SSO button selection. |
+
+## Recommended flow
+
+1. Call `create` with `domain` and `profile_name`.
+2. Call `login` to start a login flow.
+3. Share the returned hosted URL with the user or watch the returned live view URL.
+4. Call `get` to poll flow state and inspect `discovered_fields`.
+5. Call `submit` when the flow asks for field values, an MFA option, or an SSO choice.
+
+## Parameters
+
+| Parameter | Description |
+|-----------|-------------|
+| `action` | Operation to perform. Required. |
+| `id` | Auth connection ID. Required for `get`, `delete`, `login`, and `submit`. |
+| `domain` | (create) Target domain, such as `netflix.com`. |
+| `profile_name` | (create) Profile to manage auth for. Also filters `list`. |
+| `allowed_domains` | (create) Additional domains valid for this auth flow. Common SSO providers are allowed by default. |
+| `credential_name` | (create) Name of a stored Kernel credential for automatic login. |
+| `credential_provider` | (create) External credential provider name, such as `1password`. Use with `credential_path` or `credential_auto`. |
+| `credential_path` | (create) Provider-specific item path, such as `Engineering/Netflix Admin`. |
+| `credential_auto` | (create) If true, the provider auto-looks up credentials by domain. |
+| `login_url` | (create) Explicit login page URL to skip discovery. |
+| `health_check_interval` | (create) Seconds between automatic re-auth checks. The max is 86400. |
+| `save_credentials` | (create) Save credentials after each successful login. Default true. |
+| `proxy_id` / `proxy_name` | (create, login) Proxy to route the auth flow through. |
+| `domain_filter` | (list) Filter by domain. |
+| `limit` | (list) Max results per page. Must be 1-100. |
+| `offset` | (list) Pagination offset. Must be 0 or greater. |
+| `fields` | (submit) Map of field name to value, such as `{ "mfa_code": "123456" }`. Check `discovered_fields` from `get`. |
+| `mfa_option_id` | (submit) MFA option ID from the connection. |
+| `sso_button_selector` | (submit) XPath of an SSO button to click instead of submitting fields. |
+
+## Create a managed login
+
+```json
+{
+  "action": "create",
+  "domain": "accounts.example.com",
+  "profile_name": "work-accounts",
+  "credential_name": "example-work-login",
+  "login_url": "https://accounts.example.com/login",
+  "health_check_interval": 3600
+}
+```
+
+## Submit an MFA code
+
+```json
+{
+  "action": "submit",
+  "id": "authconn_2vE3Nq8WmY5bL0sC9pR1",
+  "fields": {
+    "mfa_code": "123456"
+  }
+}
+```