diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index caf5ca3..59acac4 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.26.0"
+  ".": "0.27.0"
 }
\ No newline at end of file
diff --git a/.stats.yml b/.stats.yml
index 2857ba8..50043a4 100644
--- a/.stats.yml
+++ b/.stats.yml
@@ -1,4 +1,4 @@
-configured_endpoints: 91
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel%2Fkernel-fc2c80b398a8dd511010ae7cda5e21c353e388ee130aa288974b47af4208b5b8.yml
-openapi_spec_hash: 5e06586dbbb9fce12b907f4e32497006
-config_hash: cc7fdd701d995d4b3456d77041c604cf
+configured_endpoints: 97
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel%2Fkernel-7427d4bcaba5cad07910da7a222bdd2650b5280e6b889132ed38d230adafb8a5.yml
+openapi_spec_hash: e8e3dc1ae54666d544d1fc848b25e7cf
+config_hash: b470456b217bb9502f5212311d395a6f
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 039f057..6094a75 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.27.0 (2026-01-21)
+
+Full Changelog: [v0.26.0...v0.27.0](https://github.com/kernel/kernel-go-sdk/compare/v0.26.0...v0.27.0)
+
+### Features
+
+* **agent-auth:** add 1Password integration for credential providers ([690962f](https://github.com/kernel/kernel-go-sdk/commit/690962f9f276c1e917c7462ec57400afccf3509f))
+* **dashboard:** add browser replays support for past browsers ([33f2a9c](https://github.com/kernel/kernel-go-sdk/commit/33f2a9cd0b5391bd058f6c74900c8d3731b3f990))
+* Update browser pool org limits ([6848a1c](https://github.com/kernel/kernel-go-sdk/commit/6848a1c11b3b648b163db8cf1e47347d6b6acbb8))
+
+
+### Refactors
+
+* **agentauth:** enhance discover and submit modules with improve… ([71801e7](https://github.com/kernel/kernel-go-sdk/commit/71801e7d3375037a68f751099bc6333e592fb654))
+
 ## 0.26.0 (2026-01-17)
 
 Full Changelog: [v0.25.0...v0.26.0](https://github.com/kernel/kernel-go-sdk/compare/v0.25.0...v0.26.0)
diff --git a/README.md b/README.md
index 9a24c47..6d76526 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Or to pin the version:
 <!-- x-release-please-start-version -->
 
 ```sh
-go get -u 'github.com/kernel/kernel-go-sdk@v0.26.0'
+go get -u 'github.com/kernel/kernel-go-sdk@v0.27.0'
 ```
 
 <!-- x-release-please-end -->
diff --git a/agentauth.go b/agentauth.go
index dcccafe..f34761d 100644
--- a/agentauth.go
+++ b/agentauth.go
@@ -146,6 +146,8 @@ type AgentAuthInvocationResponse struct {
 	PendingFields []DiscoveredField `json:"pending_fields,nullable"`
 	// SSO buttons available on the page (present when step=awaiting_input)
 	PendingSSOButtons []AgentAuthInvocationResponsePendingSSOButton `json:"pending_sso_buttons,nullable"`
+	// SSO provider being used for authentication (e.g., google, github, microsoft)
+	SSOProvider string `json:"sso_provider,nullable"`
 	// Names of fields that have been submitted (present when step=submitting or later)
 	SubmittedFields []string `json:"submitted_fields,nullable"`
 	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
@@ -162,6 +164,7 @@ type AgentAuthInvocationResponse struct {
 		MfaOptions            respjson.Field
 		PendingFields         respjson.Field
 		PendingSSOButtons     respjson.Field
+		SSOProvider           respjson.Field
 		SubmittedFields       respjson.Field
 		ExtraFields           map[string]respjson.Field
 		raw                   string
diff --git a/api.md b/api.md
index f5dfb8c..c9d3ba0 100644
--- a/api.md
+++ b/api.md
@@ -81,7 +81,7 @@ Response Types:
 Methods:
 
 - <code title="post /browsers">client.Browsers.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserService.New">New</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserNewParams">BrowserNewParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserNewResponse">BrowserNewResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
-- <code title="get /browsers/{id}">client.Browsers.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserService.Get">Get</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserGetResponse">BrowserGetResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="get /browsers/{id}">client.Browsers.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserService.Get">Get</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>, query <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserGetParams">BrowserGetParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserGetResponse">BrowserGetResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="patch /browsers/{id}">client.Browsers.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserService.Update">Update</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserUpdateParams">BrowserUpdateParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserUpdateResponse">BrowserUpdateResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="get /browsers">client.Browsers.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserService.List">List</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, query <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserListParams">BrowserListParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk/packages/pagination">pagination</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk/packages/pagination#OffsetPagination">OffsetPagination</a>[<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserListResponse">BrowserListResponse</a>], <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="delete /browsers">client.Browsers.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserService.Delete">Delete</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserDeleteParams">BrowserDeleteParams</a>) <a href="https://pkg.go.dev/builtin#error">error</a></code>
@@ -309,3 +309,24 @@ Methods:
 - <code title="get /credentials">client.Credentials.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialService.List">List</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, query <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialListParams">CredentialListParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk/packages/pagination">pagination</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk/packages/pagination#OffsetPagination">OffsetPagination</a>[<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#Credential">Credential</a>], <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="delete /credentials/{id_or_name}">client.Credentials.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialService.Delete">Delete</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, idOrName <a href="https://pkg.go.dev/builtin#string">string</a>) <a href="https://pkg.go.dev/builtin#error">error</a></code>
 - <code title="get /credentials/{id_or_name}/totp-code">client.Credentials.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialService.TotpCode">TotpCode</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, idOrName <a href="https://pkg.go.dev/builtin#string">string</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialTotpCodeResponse">CredentialTotpCodeResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+
+# CredentialProviders
+
+Params Types:
+
+- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CreateCredentialProviderRequestParam">CreateCredentialProviderRequestParam</a>
+- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#UpdateCredentialProviderRequestParam">UpdateCredentialProviderRequestParam</a>
+
+Response Types:
+
+- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProvider">CredentialProvider</a>
+- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderTestResult">CredentialProviderTestResult</a>
+
+Methods:
+
+- <code title="post /org/credential-providers">client.CredentialProviders.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderService.New">New</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderNewParams">CredentialProviderNewParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProvider">CredentialProvider</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="get /org/credential-providers/{id}">client.CredentialProviders.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderService.Get">Get</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProvider">CredentialProvider</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="patch /org/credential-providers/{id}">client.CredentialProviders.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderService.Update">Update</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderUpdateParams">CredentialProviderUpdateParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProvider">CredentialProvider</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="get /org/credential-providers">client.CredentialProviders.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderService.List">List</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>) (\*[]<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProvider">CredentialProvider</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="delete /org/credential-providers/{id}">client.CredentialProviders.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderService.Delete">Delete</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) <a href="https://pkg.go.dev/builtin#error">error</a></code>
+- <code title="post /org/credential-providers/{id}/test">client.CredentialProviders.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderService.Test">Test</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CredentialProviderTestResult">CredentialProviderTestResult</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
diff --git a/browser.go b/browser.go
index c8da385..0c27f87 100644
--- a/browser.go
+++ b/browser.go
@@ -66,14 +66,14 @@ func (r *BrowserService) New(ctx context.Context, body BrowserNewParams, opts ..
 }
 
 // Get information about a browser session.
-func (r *BrowserService) Get(ctx context.Context, id string, opts ...option.RequestOption) (res *BrowserGetResponse, err error) {
+func (r *BrowserService) Get(ctx context.Context, id string, query BrowserGetParams, opts ...option.RequestOption) (res *BrowserGetResponse, err error) {
 	opts = slices.Concat(r.Options, opts)
 	if id == "" {
 		err = errors.New("missing required id parameter")
 		return
 	}
 	path := fmt.Sprintf("browsers/%s", id)
-	err = requestconfig.ExecuteNewRequest(ctx, http.MethodGet, path, nil, &res, opts...)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodGet, path, query, &res, opts...)
 	return
 }
 
@@ -89,8 +89,8 @@ func (r *BrowserService) Update(ctx context.Context, id string, body BrowserUpda
 	return
 }
 
-// List all browser sessions with pagination support. Use include_deleted=true to
-// include soft-deleted sessions in the results.
+// List all browser sessions with pagination support. Use status parameter to
+// filter by session state.
 func (r *BrowserService) List(ctx context.Context, query BrowserListParams, opts ...option.RequestOption) (res *pagination.OffsetPagination[BrowserListResponse], err error) {
 	var raw *http.Response
 	opts = slices.Concat(r.Options, opts)
@@ -108,8 +108,8 @@ func (r *BrowserService) List(ctx context.Context, query BrowserListParams, opts
 	return res, nil
 }
 
-// List all browser sessions with pagination support. Use include_deleted=true to
-// include soft-deleted sessions in the results.
+// List all browser sessions with pagination support. Use status parameter to
+// filter by session state.
 func (r *BrowserService) ListAutoPaging(ctx context.Context, query BrowserListParams, opts ...option.RequestOption) *pagination.OffsetPaginationAutoPager[BrowserListResponse] {
 	return pagination.NewOffsetPaginationAutoPager(r.List(ctx, query, opts...))
 }
@@ -532,6 +532,20 @@ func (r *BrowserNewParams) UnmarshalJSON(data []byte) error {
 	return apijson.UnmarshalRoot(data, r)
 }
 
+type BrowserGetParams struct {
+	// When true, includes soft-deleted browser sessions in the lookup.
+	IncludeDeleted param.Opt[bool] `query:"include_deleted,omitzero" json:"-"`
+	paramObj
+}
+
+// URLQuery serializes [BrowserGetParams]'s query parameters as `url.Values`.
+func (r BrowserGetParams) URLQuery() (v url.Values, err error) {
+	return apiquery.MarshalWithSettings(r, apiquery.QuerySettings{
+		ArrayFormat:  apiquery.ArrayQueryFormatComma,
+		NestedFormat: apiquery.NestedQueryFormatBrackets,
+	})
+}
+
 type BrowserUpdateParams struct {
 	// ID of the proxy to use. Omit to leave unchanged, set to empty string to remove
 	// proxy.
@@ -548,13 +562,18 @@ func (r *BrowserUpdateParams) UnmarshalJSON(data []byte) error {
 }
 
 type BrowserListParams struct {
-	// When true, includes soft-deleted browser sessions in the results alongside
-	// active sessions.
+	// Deprecated: Use status=all instead. When true, includes soft-deleted browser
+	// sessions in the results alongside active sessions.
 	IncludeDeleted param.Opt[bool] `query:"include_deleted,omitzero" json:"-"`
 	// Maximum number of results to return. Defaults to 20, maximum 100.
 	Limit param.Opt[int64] `query:"limit,omitzero" json:"-"`
 	// Number of results to skip. Defaults to 0.
 	Offset param.Opt[int64] `query:"offset,omitzero" json:"-"`
+	// Filter sessions by status. "active" returns only active sessions (default),
+	// "deleted" returns only soft-deleted sessions, "all" returns both.
+	//
+	// Any of "active", "deleted", "all".
+	Status BrowserListParamsStatus `query:"status,omitzero" json:"-"`
 	paramObj
 }
 
@@ -566,6 +585,16 @@ func (r BrowserListParams) URLQuery() (v url.Values, err error) {
 	})
 }
 
+// Filter sessions by status. "active" returns only active sessions (default),
+// "deleted" returns only soft-deleted sessions, "all" returns both.
+type BrowserListParamsStatus string
+
+const (
+	BrowserListParamsStatusActive  BrowserListParamsStatus = "active"
+	BrowserListParamsStatusDeleted BrowserListParamsStatus = "deleted"
+	BrowserListParamsStatusAll     BrowserListParamsStatus = "all"
+)
+
 type BrowserDeleteParams struct {
 	// Persistent browser identifier
 	PersistentID string `query:"persistent_id,required" json:"-"`
diff --git a/browser_test.go b/browser_test.go
index d0ab6f5..f0df76c 100644
--- a/browser_test.go
+++ b/browser_test.go
@@ -63,7 +63,7 @@ func TestBrowserNewWithOptionalParams(t *testing.T) {
 	}
 }
 
-func TestBrowserGet(t *testing.T) {
+func TestBrowserGetWithOptionalParams(t *testing.T) {
 	t.Skip("Prism tests are disabled")
 	baseURL := "http://localhost:4010"
 	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
@@ -76,7 +76,13 @@ func TestBrowserGet(t *testing.T) {
 		option.WithBaseURL(baseURL),
 		option.WithAPIKey("My API Key"),
 	)
-	_, err := client.Browsers.Get(context.TODO(), "htzv5orfit78e1m2biiifpbv")
+	_, err := client.Browsers.Get(
+		context.TODO(),
+		"htzv5orfit78e1m2biiifpbv",
+		kernel.BrowserGetParams{
+			IncludeDeleted: kernel.Bool(true),
+		},
+	)
 	if err != nil {
 		var apierr *kernel.Error
 		if errors.As(err, &apierr) {
@@ -132,6 +138,7 @@ func TestBrowserListWithOptionalParams(t *testing.T) {
 		IncludeDeleted: kernel.Bool(true),
 		Limit:          kernel.Int(1),
 		Offset:         kernel.Int(0),
+		Status:         kernel.BrowserListParamsStatusActive,
 	})
 	if err != nil {
 		var apierr *kernel.Error
diff --git a/browserpool.go b/browserpool.go
index b137499..6119f17 100644
--- a/browserpool.go
+++ b/browserpool.go
@@ -167,7 +167,9 @@ func (r *BrowserPool) UnmarshalJSON(data []byte) error {
 
 // Configuration used to create all browsers in this pool
 type BrowserPoolBrowserPoolConfig struct {
-	// Number of browsers to create in the pool
+	// Number of browsers to maintain in the pool. The maximum size is determined by
+	// your organization's pooled sessions limit (the sum of all pool sizes cannot
+	// exceed your limit).
 	Size int64 `json:"size,required"`
 	// List of browser extensions to load into the session. Provide each by id or name.
 	Extensions []shared.BrowserExtension `json:"extensions"`
@@ -290,7 +292,9 @@ func (r *BrowserPoolAcquireResponse) UnmarshalJSON(data []byte) error {
 }
 
 type BrowserPoolNewParams struct {
-	// Number of browsers to create in the pool
+	// Number of browsers to maintain in the pool. The maximum size is determined by
+	// your organization's pooled sessions limit (the sum of all pool sizes cannot
+	// exceed your limit).
 	Size int64 `json:"size,required"`
 	// Percentage of the pool to fill per minute. Defaults to 10%.
 	FillRatePerMinute param.Opt[int64] `json:"fill_rate_per_minute,omitzero"`
@@ -337,7 +341,9 @@ func (r *BrowserPoolNewParams) UnmarshalJSON(data []byte) error {
 }
 
 type BrowserPoolUpdateParams struct {
-	// Number of browsers to create in the pool
+	// Number of browsers to maintain in the pool. The maximum size is determined by
+	// your organization's pooled sessions limit (the sum of all pool sizes cannot
+	// exceed your limit).
 	Size int64 `json:"size,required"`
 	// Whether to discard all idle browsers and rebuild the pool immediately. Defaults
 	// to false.
diff --git a/client.go b/client.go
index edbb3a8..a1ac662 100644
--- a/client.go
+++ b/client.go
@@ -16,17 +16,18 @@ import (
 // interacting with the kernel API. You should not instantiate this client
 // directly, and instead use the [NewClient] method instead.
 type Client struct {
-	Options      []option.RequestOption
-	Deployments  DeploymentService
-	Apps         AppService
-	Invocations  InvocationService
-	Browsers     BrowserService
-	Profiles     ProfileService
-	Proxies      ProxyService
-	Extensions   ExtensionService
-	BrowserPools BrowserPoolService
-	Agents       AgentService
-	Credentials  CredentialService
+	Options             []option.RequestOption
+	Deployments         DeploymentService
+	Apps                AppService
+	Invocations         InvocationService
+	Browsers            BrowserService
+	Profiles            ProfileService
+	Proxies             ProxyService
+	Extensions          ExtensionService
+	BrowserPools        BrowserPoolService
+	Agents              AgentService
+	Credentials         CredentialService
+	CredentialProviders CredentialProviderService
 }
 
 // DefaultClientOptions read from the environment (KERNEL_API_KEY,
@@ -61,6 +62,7 @@ func NewClient(opts ...option.RequestOption) (r Client) {
 	r.BrowserPools = NewBrowserPoolService(opts...)
 	r.Agents = NewAgentService(opts...)
 	r.Credentials = NewCredentialService(opts...)
+	r.CredentialProviders = NewCredentialProviderService(opts...)
 
 	return
 }
diff --git a/credentialprovider.go b/credentialprovider.go
new file mode 100644
index 0000000..ded8c4f
--- /dev/null
+++ b/credentialprovider.go
@@ -0,0 +1,269 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+package kernel
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"slices"
+	"time"
+
+	"github.com/kernel/kernel-go-sdk/internal/apijson"
+	shimjson "github.com/kernel/kernel-go-sdk/internal/encoding/json"
+	"github.com/kernel/kernel-go-sdk/internal/requestconfig"
+	"github.com/kernel/kernel-go-sdk/option"
+	"github.com/kernel/kernel-go-sdk/packages/param"
+	"github.com/kernel/kernel-go-sdk/packages/respjson"
+)
+
+// CredentialProviderService contains methods and other services that help with
+// interacting with the kernel API.
+//
+// Note, unlike clients, this service does not read variables from the environment
+// automatically. You should not instantiate this service directly, and instead use
+// the [NewCredentialProviderService] method instead.
+type CredentialProviderService struct {
+	Options []option.RequestOption
+}
+
+// NewCredentialProviderService generates a new service that applies the given
+// options to each request. These options are applied after the parent client's
+// options (if there is one), and before any request-specific options.
+func NewCredentialProviderService(opts ...option.RequestOption) (r CredentialProviderService) {
+	r = CredentialProviderService{}
+	r.Options = opts
+	return
+}
+
+// Configure an external credential provider (e.g., 1Password) for automatic
+// credential lookup.
+func (r *CredentialProviderService) New(ctx context.Context, body CredentialProviderNewParams, opts ...option.RequestOption) (res *CredentialProvider, err error) {
+	opts = slices.Concat(r.Options, opts)
+	path := "org/credential-providers"
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodPost, path, body, &res, opts...)
+	return
+}
+
+// Retrieve a credential provider by its ID.
+func (r *CredentialProviderService) Get(ctx context.Context, id string, opts ...option.RequestOption) (res *CredentialProvider, err error) {
+	opts = slices.Concat(r.Options, opts)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return
+	}
+	path := fmt.Sprintf("org/credential-providers/%s", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodGet, path, nil, &res, opts...)
+	return
+}
+
+// Update a credential provider's configuration.
+func (r *CredentialProviderService) Update(ctx context.Context, id string, body CredentialProviderUpdateParams, opts ...option.RequestOption) (res *CredentialProvider, err error) {
+	opts = slices.Concat(r.Options, opts)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return
+	}
+	path := fmt.Sprintf("org/credential-providers/%s", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodPatch, path, body, &res, opts...)
+	return
+}
+
+// List external credential providers configured for the organization.
+func (r *CredentialProviderService) List(ctx context.Context, opts ...option.RequestOption) (res *[]CredentialProvider, err error) {
+	opts = slices.Concat(r.Options, opts)
+	path := "org/credential-providers"
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodGet, path, nil, &res, opts...)
+	return
+}
+
+// Delete a credential provider by its ID.
+func (r *CredentialProviderService) Delete(ctx context.Context, id string, opts ...option.RequestOption) (err error) {
+	opts = slices.Concat(r.Options, opts)
+	opts = append([]option.RequestOption{option.WithHeader("Accept", "*/*")}, opts...)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return
+	}
+	path := fmt.Sprintf("org/credential-providers/%s", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodDelete, path, nil, nil, opts...)
+	return
+}
+
+// Validate the credential provider's token and list accessible vaults.
+func (r *CredentialProviderService) Test(ctx context.Context, id string, opts ...option.RequestOption) (res *CredentialProviderTestResult, err error) {
+	opts = slices.Concat(r.Options, opts)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return
+	}
+	path := fmt.Sprintf("org/credential-providers/%s/test", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodPost, path, nil, &res, opts...)
+	return
+}
+
+// Request to create an external credential provider
+//
+// The properties Token, ProviderType are required.
+type CreateCredentialProviderRequestParam struct {
+	// Service account token for the provider (e.g., 1Password service account token)
+	Token string `json:"token,required"`
+	// Type of credential provider
+	//
+	// Any of "onepassword".
+	ProviderType CreateCredentialProviderRequestProviderType `json:"provider_type,omitzero,required"`
+	// How long to cache credential lists (default 300 seconds)
+	CacheTtlSeconds param.Opt[int64] `json:"cache_ttl_seconds,omitzero"`
+	paramObj
+}
+
+func (r CreateCredentialProviderRequestParam) MarshalJSON() (data []byte, err error) {
+	type shadow CreateCredentialProviderRequestParam
+	return param.MarshalObject(r, (*shadow)(&r))
+}
+func (r *CreateCredentialProviderRequestParam) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+// Type of credential provider
+type CreateCredentialProviderRequestProviderType string
+
+const (
+	CreateCredentialProviderRequestProviderTypeOnepassword CreateCredentialProviderRequestProviderType = "onepassword"
+)
+
+// An external credential provider (e.g., 1Password) for automatic credential
+// lookup
+type CredentialProvider struct {
+	// Unique identifier for the credential provider
+	ID string `json:"id,required"`
+	// When the credential provider was created
+	CreatedAt time.Time `json:"created_at,required" format:"date-time"`
+	// Whether the provider is enabled for credential lookups
+	Enabled bool `json:"enabled,required"`
+	// Priority order for credential lookups (lower numbers are checked first)
+	Priority int64 `json:"priority,required"`
+	// Type of credential provider
+	//
+	// Any of "onepassword".
+	ProviderType CredentialProviderProviderType `json:"provider_type,required"`
+	// When the credential provider was last updated
+	UpdatedAt time.Time `json:"updated_at,required" format:"date-time"`
+	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
+	JSON struct {
+		ID           respjson.Field
+		CreatedAt    respjson.Field
+		Enabled      respjson.Field
+		Priority     respjson.Field
+		ProviderType respjson.Field
+		UpdatedAt    respjson.Field
+		ExtraFields  map[string]respjson.Field
+		raw          string
+	} `json:"-"`
+}
+
+// Returns the unmodified JSON received from the API
+func (r CredentialProvider) RawJSON() string { return r.JSON.raw }
+func (r *CredentialProvider) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+// Type of credential provider
+type CredentialProviderProviderType string
+
+const (
+	CredentialProviderProviderTypeOnepassword CredentialProviderProviderType = "onepassword"
+)
+
+// Result of testing a credential provider connection
+type CredentialProviderTestResult struct {
+	// Whether the connection test was successful
+	Success bool `json:"success,required"`
+	// List of vaults accessible by the service account
+	Vaults []CredentialProviderTestResultVault `json:"vaults,required"`
+	// Error message if the test failed
+	Error string `json:"error"`
+	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
+	JSON struct {
+		Success     respjson.Field
+		Vaults      respjson.Field
+		Error       respjson.Field
+		ExtraFields map[string]respjson.Field
+		raw         string
+	} `json:"-"`
+}
+
+// Returns the unmodified JSON received from the API
+func (r CredentialProviderTestResult) RawJSON() string { return r.JSON.raw }
+func (r *CredentialProviderTestResult) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+type CredentialProviderTestResultVault struct {
+	// Vault ID
+	ID string `json:"id,required"`
+	// Vault name
+	Name string `json:"name,required"`
+	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
+	JSON struct {
+		ID          respjson.Field
+		Name        respjson.Field
+		ExtraFields map[string]respjson.Field
+		raw         string
+	} `json:"-"`
+}
+
+// Returns the unmodified JSON received from the API
+func (r CredentialProviderTestResultVault) RawJSON() string { return r.JSON.raw }
+func (r *CredentialProviderTestResultVault) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+// Request to update a credential provider
+type UpdateCredentialProviderRequestParam struct {
+	// New service account token (to rotate credentials)
+	Token param.Opt[string] `json:"token,omitzero"`
+	// How long to cache credential lists
+	CacheTtlSeconds param.Opt[int64] `json:"cache_ttl_seconds,omitzero"`
+	// Whether the provider is enabled for credential lookups
+	Enabled param.Opt[bool] `json:"enabled,omitzero"`
+	// Priority order for credential lookups (lower numbers are checked first)
+	Priority param.Opt[int64] `json:"priority,omitzero"`
+	paramObj
+}
+
+func (r UpdateCredentialProviderRequestParam) MarshalJSON() (data []byte, err error) {
+	type shadow UpdateCredentialProviderRequestParam
+	return param.MarshalObject(r, (*shadow)(&r))
+}
+func (r *UpdateCredentialProviderRequestParam) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+type CredentialProviderNewParams struct {
+	// Request to create an external credential provider
+	CreateCredentialProviderRequest CreateCredentialProviderRequestParam
+	paramObj
+}
+
+func (r CredentialProviderNewParams) MarshalJSON() (data []byte, err error) {
+	return shimjson.Marshal(r.CreateCredentialProviderRequest)
+}
+func (r *CredentialProviderNewParams) UnmarshalJSON(data []byte) error {
+	return json.Unmarshal(data, &r.CreateCredentialProviderRequest)
+}
+
+type CredentialProviderUpdateParams struct {
+	// Request to update a credential provider
+	UpdateCredentialProviderRequest UpdateCredentialProviderRequestParam
+	paramObj
+}
+
+func (r CredentialProviderUpdateParams) MarshalJSON() (data []byte, err error) {
+	return shimjson.Marshal(r.UpdateCredentialProviderRequest)
+}
+func (r *CredentialProviderUpdateParams) UnmarshalJSON(data []byte) error {
+	return json.Unmarshal(data, &r.UpdateCredentialProviderRequest)
+}
diff --git a/credentialprovider_test.go b/credentialprovider_test.go
new file mode 100644
index 0000000..18e4a02
--- /dev/null
+++ b/credentialprovider_test.go
@@ -0,0 +1,169 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+package kernel_test
+
+import (
+	"context"
+	"errors"
+	"os"
+	"testing"
+
+	"github.com/kernel/kernel-go-sdk"
+	"github.com/kernel/kernel-go-sdk/internal/testutil"
+	"github.com/kernel/kernel-go-sdk/option"
+)
+
+func TestCredentialProviderNewWithOptionalParams(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.CredentialProviders.New(context.TODO(), kernel.CredentialProviderNewParams{
+		CreateCredentialProviderRequest: kernel.CreateCredentialProviderRequestParam{
+			Token:           "ops_eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
+			ProviderType:    kernel.CreateCredentialProviderRequestProviderTypeOnepassword,
+			CacheTtlSeconds: kernel.Int(300),
+		},
+	})
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestCredentialProviderGet(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.CredentialProviders.Get(context.TODO(), "id")
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestCredentialProviderUpdateWithOptionalParams(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.CredentialProviders.Update(
+		context.TODO(),
+		"id",
+		kernel.CredentialProviderUpdateParams{
+			UpdateCredentialProviderRequest: kernel.UpdateCredentialProviderRequestParam{
+				Token:           kernel.String("ops_eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."),
+				CacheTtlSeconds: kernel.Int(300),
+				Enabled:         kernel.Bool(true),
+				Priority:        kernel.Int(0),
+			},
+		},
+	)
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestCredentialProviderList(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.CredentialProviders.List(context.TODO())
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestCredentialProviderDelete(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	err := client.CredentialProviders.Delete(context.TODO(), "id")
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestCredentialProviderTest(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.CredentialProviders.Test(context.TODO(), "id")
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
diff --git a/internal/version.go b/internal/version.go
index dc72016..c2280fd 100644
--- a/internal/version.go
+++ b/internal/version.go
@@ -2,4 +2,4 @@
 
 package internal
 
-const PackageVersion = "0.26.0" // x-release-please-version
+const PackageVersion = "0.27.0" // x-release-please-version