# FAQs

### How does Kernel authenticate?

Kernel connects through an account user using the standard OAuth 2.0 Authorization‑Code + Refresh Token flow. After a one‑time user authorization via the provisioned integration user, Kernel receives a long‑lived refresh token and exchanges it for short‑lived access tokens (≤15 min)

### Does Kernel need a separate UI (browser) user?

No.

### How do I revoke Kernel’s access?

To revoke Kernel’s access, you can deactivate the Kernel user.

### Is data encrypted in transit and at rest?

Yes. OAuth uses TLS 1.2+ for transport. Kernel stores any necessary credentials in a secrets manager.

### How do we avoid row locks?

To avoid row locks, we recommend designating certain windows of time during which we can update accounts in your CRM, e.g. during nights or weekends.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.kernel.ai/integrations/hubspot-integration/faqs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.