TL;DR: Securing Hermes Agent in production requires five layers: credential vaults (never hardcode API keys), least-privilege tool permissions, command approval policies, messaging allowlists, and audit logging. This guide covers each layer with config examples and deployment hardening steps.

Last updated: May 12, 2026

Why Security Matters Now

Hermes Agent gains capabilities with every release — credential pools, webhook servers, multi-agent workspaces, cron schedulers. Each feature is powerful, but each also expands the attack surface. A compromised agent with API keys in plaintext config files and unrestricted tool access is a liability, not an asset.The good news: Hermes has built-in security primitives. The bad news: most are opt-in. This guide covers the five layers you need to harden in production, building on our production deployment guide.

Layer 1: Credential Vault

Hardcoding API keys in config.yaml is the most common security mistake. Hermes supports several secure credential workflows:

Option A: .env File (Built-in)

Hermes reads a .env file from ~/.hermes/.env. Store secrets there instead of in config.yaml:

class="language-bash"># ~/.hermes/.env — set restrictive permissions
chmod 600 ~/.hermes/.env

class="language-env">OPENAI_API_KEY=sk-proj-...
ANTHROPIC_API_KEY=sk-ant-...
OPENROUTER_API_KEY=sk-or-...
HERMES_WEBHOOK_SECRET=whsec_...

Option B: External Secrets Manager

For production, integrate with a dedicated vault:

class="language-bash"># HashiCorp Vault integration
export VAULT_ADDR=https://vault.example.com
export VAULT_TOKEN=$(vault login -method=oidc -token-only)
hermes config set inference_provider openrouter
hermes config set openrouter_api_key \
 "$(vault kv get -field=key secret/hermes/openrouter)"

Supported vaults: HashiCorp Vault, Infisical, Doppler, 1Password, AWS Secrets Manager.

Option C: Credential Pools

Hermes supports multiple API keys per provider. When one hits a rate limit, the pool rotates automatically:

class="language-yaml"># config.yaml
credential_pools:
 openrouter:
 - key: ${OPENROUTER_KEY_1}
 - key: ${OPENROUTER_KEY_2}
 - key: ${OPENROUTER_KEY_3}

Layer 2: Least-Privilege Tool Permissions

By default, Hermes has access to all installed tools. Narrow this scope:

Setting	What It Does	Recommendation
command_allowlist	Safe commands the agent can run without approval	List only read-only and safe commands
command_denylist	Commands the agent can never run	Add rm -rf, chmod -R, dd, shutdown
tool_allowlist	Tools the agent has access to	Start minimal, expand per use case
filesystem_allowed_paths	Directories the agent can read/write	Restrict to project directories

class="language-yaml"># config.yaml — production hardened
security:
 command_allowlist:
 - "git status"
 - "git diff"
 - "cat"
 - "ls"
 - "curl"
 - "npm test"
 command_denylist:
 - "rm -rf"
 - "chmod"
 - "dd"
 - "shutdown"
 - "reboot"
 - "sudo"
 tool_allowlist:
 - "read"
 - "edit"
 - "bash"
 - "search"
 filesystem_allowed_paths:
 - "/home/hermes/workspace"

Layer 3: Command Approval Policies

Hermes has a built-in approval system for dangerous commands. Configure policies in config.yaml:

class="language-yaml">security:
 dangerous_command_policy: "approve" # ask before running
 dangerous_patterns:
 - "rm *"
 - "> /dev/sda"
 - "chown"
 - "useradd"
 approval_mode: "cli" # or "message" for messaging approval

Set dangerous_command_policy to always_allow for trusted environments or always_deny for maximum safety. The approve mode prompts via terminal or chat depending on your interface.

Layer 4: Messaging Allowlists

If Hermes is connected to Telegram, Discord, or Slack, anyone who finds your bot can send it commands. Restrict access:

class="language-env"># Environment variables for messaging security
TELEGRAM_ALLOWED_USERS="your_telegram_id,secondary_id"
DISCORD_ALLOWED_USERS="user_id_1,user_id_2"
SLACK_ALLOWED_USERS="user@example.com"

On Telegram, Hermes also supports a /auth command for one-time authorization. Unknown users receive a "not authorized" response and their messages are logged.

Layer 5: Audit Logging

Hermes logs all agent actions to ~/.hermes/logs/. In production, forward these to a centralized system:

class="language-bash"># Forward logs to syslog for centralized monitoring
tail -f ~/.hermes/logs/agent.log | logger -t hermes-agent
Or ship to a JSON log aggregator
hermes config set logging.format json
hermes config set logging.webhook_url “https://logs.example.com/ingest”

Key events to monitor:

• Failed authentication attempts (messaging, webhooks)
• Dangerous command approvals/denials
• Credential pool rotations
• Unexpected tool access patterns
• Multi-agent cross-communications

Production Hardening Checklist

Item	Status
Run under dedicated non-root user	☐
Secrets in .env with chmod 600, not config.yaml	☐
command_denylist includes destructive commands	☐
filesystem_allowed_paths restricted	☐
Messaging allowlists configured	☐
Dangerous command policy set to approve or deny	☐
Log forwarding to centralized system	☐
Regular update schedule configured	☐
Separate dev/prod API keys	☐
Pre-commit hooks for credential scanning	☐

FAQ

Does Hermes support HashiCorp Vault natively?

Not with a built-in plugin, but you can inject Vault secrets via environment variables at startup. The shell integration shown in Layer 1 works reliably in production.

Can I restrict which files the agent can read?

Yes. Use filesystem_allowed_paths in config.yaml. The agent will be unable to read or write files outside the specified directories. Combined with command_allowlist, this provides defense in depth.

What happens when an unauthorized user messages my Telegram bot?

Hermes logs the message, returns a "not authorized" response, and takes no action. The unauthorized user never interacts with the agent's tools or memory.

Are webhook endpoints authenticated?

Yes. Hermes validates HMAC-SHA256 signatures on incoming webhooks. See the automation workflows guide for webhook setup details.

How do I rotate API keys without downtime?

Use credential pools. Add the new key to the pool list, remove the old one after confirming rotation works. Hermes rotates automatically on rate-limit events or you can force a reload with hermes reload credentials.Have a security tip for Hermes? Share it in the comments or tag us on X.Tags: Hermes, Agents, Guides, AI, Open SourceTool: Hermes Agent / HashiCorp Vault / Infisical / Doppler

← Back to all posts