Email & Password
Store email and password in a secure credential file, for example ~/.agent/credentials/google-auth.txt. Never write them in SOUL.md or any file that enters context.
08 / autonomous login
Autonomous login: Google & X/Twitter.
An agent that can log into services on its own without user help is a truly independent agent. This requires special setup: proper credentials, browser automation, and 2FA handling.
Many services the agent needs — email, cloud, social media — require login. If the agent has to ask for user help every time a session expires, autonomy breaks. The key: set up credentials and browser automation so the agent can log in and maintain sessions on its own.
Google Login
Google is one of the most important logins because many services depend on it: Gmail, Google Cloud, YouTube, Google Drive. Google has several authentication layers to handle: password, 2FA (TOTP), and recovery codes.
What to prepare
TOTP Secret Key
When enabling 2FA on Google, save the TOTP secret key (not just the 6-digit code). This secret key can be used to generate codes autonomously using a library like pyotp without needing Google Authenticator.
Backup Codes
Generate backup codes in Google settings and save them in a separate file. These are a fallback if TOTP fails. Backup codes can be used once to bypass 2FA.
Browser Automation
The agent needs an anti-detect browser to log into Google. Regular browsers trigger anti-bot detection. Choose a browser that supports humanize mode and fingerprint randomization.
Google login flow
The agent must follow this flow in order. Each step has a different failure potential:
1. Buka browser → navigasi ke accounts.google.com
2. Masukkan email → klik Next
3. Masukkan password → klik Next
4. Jika diminta 2FA:
a. Generate TOTP code dari secret key (pyotp)
b. Masukkan 6 digit code → klik Next
c. Jika TOTP gagal, pakai backup code
5. Verifikasi login berhasil (cek cookies/session)
6. Simpan session cookies untuk reuseGenerating TOTP autonomously
TOTP (Time-based One-Time Password) can be generated locally without Google Authenticator. All that's needed is the secret key from the 2FA setup. With Python and pyotp, the agent can generate a code anytime:
import pyotp
# Secret key dari setup 2FA Google
secret = "JBSWY3DPEHPK3PXP"
totp = pyotp.TOTP(secret)
# Generate 6 digit code yang valid selama 30 detik
code = totp.now() # misalnya: "483291"Session persistence
After a successful login, save the browser cookies. These cookies can be reused in later sessions without logging in again. Google session cookies usually last weeks to months. The agent must detect when a session expires (HTTP 401 or redirect to login page) and perform automatic re-login.
Benar
Google credentials stored at
~/.agent/credentials/google-auth.txt (email, password, TOTP secret, backup codes). The agent logs in via browser automation, generates TOTP codes locally, and saves session cookies for reuse. Automatic re-login when the session expires.Salah
I can't log into Google because it asks for 2FA. Can you enter the code from Google Authenticator?
X / Twitter Login
X/Twitter supports several authentication methods the agent can use autonomously. A good setup provides more than one method so the agent has a fallback if the primary method fails.
Method 1: Cookie-based (most stable)
Log in once in a regular browser, export cookies, then the agent uses those cookies for all operations. This is the most stable method because cookies last a long time and aren't affected by anti-bot detection.
Cookies are stored in a JSON file, for example ~/.agent/credentials/x-cookies.json. With valid cookies, the agent can perform all operations: posting, delete, reply, like, retweet, follow, unfollow, search, DM, bookmarks, polls, scheduled tweets, lists, media upload, and more. This is the primary method because it covers almost all needs.
Advantages
Not affected by anti-bot. No need to handle 2FA. Sessions last for weeks. Covers all operations including write, DM, and media upload.
Disadvantages
Requires one manual login to export cookies. If cookies expire, manual re-login is needed again.
Metode 2: Username & password
The agent logs in directly with username and password. Credentials are stored in a separate file, for example ~/.agent/credentials/x-auth.env containing username, password, and backup code for handling 2FA.
Backup codes are critical for autonomous login. When X requests a verification code (2FA), the agent can enter the backup code without user help. Without backup codes, the agent gets stuck on the 2FA page and has to wait for the user.
Advantages
No manual login needed at all. The agent can log in anytime as long as credentials are valid. Backup codes handle 2FA autonomously. Good for fresh starts or automatic re-login.
Disadvantages
Vulnerable to anti-bot measures (Cloudflare 403). Passwords can change and need to be updated in the credential file. Backup codes are limited in number.
When to use which method?
Use cookie-based as the primary method because it's most stable and covers all operations without being affected by anti-bot. Save cookies after the first manual login.
Use username/password + backup code as a fallback: when cookies expire and the agent needs to re-login, or when initial setup is done remotely without manual browser access. Make sure backup codes are always saved so the agent doesn't get stuck at 2FA.
Benar
X/Twitter credentials: cookies at
~/.agent/credentials/x-cookies.json (primary method), account credentials at ~/.agent/credentials/x-auth.env (username, password, backup code). The agent uses cookie-based for daily operations. If cookies expire, falls back to username/password + backup code for 2FA. All operations fully autonomous.Salah
Cookies expired and X is requesting a verification code. I don't have a backup code, so I have to wait for you to enter the code from the authenticator.
General principles of autonomous login
Store credentials securely
All credentials (passwords, TOTP secrets, cookies, API keys) in separate files in the credential directory. Not in SOUL.md, not in code, not in environment variables that could leak to logs.
Handle all authentication paths
Password alone isn't enough. The agent must handle 2FA (TOTP, backup codes), CAPTCHA (anti-detect browser), and session persistence (cookies).
Detection and recovery
The agent must detect when a session expires or login fails, and have a recovery strategy: retry, use backup code, or request manual re-login as a last resort.
Don't ask for help with things that can be automated
If TOTP can be generated from a secret key, don't ask the user to enter a code. If cookies can be loaded, don't ask the user to log in. Autonomy means the agent solves problems on its own.
Autonomous login is one of the biggest investments for agent autonomy. Once set up, the agent can access services anytime without waiting for the user. Google TOTP + anti-detect browser covers almost all cases. X/Twitter cookie-based is the most stable for social media automation.
Hermes SOUL Guide — building a smart agent is a process, not an instant prompt.