Hermes Setup
This page gets a Hermes + Kirimdev gateway running. For nginx, SSL, systemd, and hardening, follow the plugin’s production DEPLOY.md after the steps below.
Prerequisites
Section titled “Prerequisites”| Item | Notes |
|---|---|
| Kirimdev account | WhatsApp Cloud API number connected |
| API key | kdv_live_… from Dashboard → Settings → API Keys |
phone_number_id | Meta business phone number ID (Settings → WhatsApp number) |
| Hermes Agent | v0.14.0+ with an LLM provider configured (hermes doctor) |
| Public HTTPS URL | Dedicated subdomain pointing at your gateway (production) |
Install
Section titled “Install”-
Install Hermes Agent on your server or dev machine.
Follow the official Hermes install guide, then verify:
Terminal window hermes --versionhermes doctor -
Copy the Kirimdev plugin into Hermes’ plugin directory.
Terminal window git clone https://github.com/kirimdev/kirimdev-hermes.gitcp -r kirimdev-hermes/kirimdev-platform ~/.hermes/plugins/kirimdev-platformhermes plugins enable kirimdev-platformInstall Python deps in the Hermes environment:
Terminal window pip install aiohttp httpx# or: ~/.hermes/hermes-agent/venv/bin/pip install aiohttp httpx -
Set required configuration.
Terminal window hermes config set KIRIMDEV_API_KEY kdv_live_xxxxxxxxhermes config set KIRIMDEV_ENABLED_NUMBERS 123456789012345hermes config set KIRIMDEV_DEFAULT_PHONE_NUMBER_ID 123456789012345hermes config set KIRIMDEV_PUBLIC_URL https://hermes-webhooks.example.comhermes config set KIRIMDEV_OWNER_USERS 628123456789Variable Required Purpose KIRIMDEV_API_KEY✅ Public API bearer token KIRIMDEV_WEBHOOK_SECRETS✅ Set after Step 5 ( whsec_…)KIRIMDEV_ENABLED_NUMBERS✅ Comma-separated phone_number_idvalues Hermes may operateKIRIMDEV_DEFAULT_PHONE_NUMBER_IDRecommended Default sender for cron / CLI KIRIMDEV_PUBLIC_URLRecommended Public base URL (no /webhooksuffix)KIRIMDEV_OWNER_USERSRecommended Owner phones (digits, no +)KIRIMDEV_ALLOWED_USERSOptional Whitelist for instant replies KIRIMDEV_OWNER_FULL_AGENTOptional Default true— see overviewKIRIMDEV_API_BASE_URLOptional Default https://api.kirimdev.com/v1— leave unset for production -
Start the gateway.
Terminal window hermes gateway run# production: systemd user unit — see plugin DEPLOY.mdVerify locally:
Terminal window curl -s http://127.0.0.1:8646/health# {"status":"ok","platform":"kirimdev","channel":"whatsapp"} -
Create a Kirimdev webhook subscription pointing at your gateway.
Dashboard → Settings → Webhooks → create subscription:
- URL:
https://hermes-webhooks.example.com/webhook - Events:
message.received
Copy the signing secret (
whsec_…).Terminal window curl -s -X POST https://api.kirimdev.com/v1/webhook_subscriptions \-H "Authorization: Bearer $KIRIMDEV_API_KEY" \-H "Content-Type: application/json" \-d '{"url": "https://hermes-webhooks.example.com/webhook","events": ["message.received"]}'Save
initial_secretfrom the response. See Subscribe to Webhooks for signature verification details.Configure Hermes and restart:
Terminal window hermes config set KIRIMDEV_WEBHOOK_SECRETS whsec_xxxxxxxxsystemctl --user restart hermes-gateway # if using systemd - URL:
-
Smoke test.
Send a WhatsApp message from a number listed in
KIRIMDEV_OWNER_USERSto your business line. You should see inbound logs and an agent reply.If nothing responds, check tier config — unknown senders require owner approval. See Authorization tiers in the overview.
Production checklist
Section titled “Production checklist”- nginx reverse-proxy
443 → 127.0.0.1:8646; do not expose:8646publicly. - TLS via Let’s Encrypt (certbot).
- systemd user unit with
Restart=on-failure— template in hermes-gateway.service. - Firewall — allow 80/443 only.
- Secret rotation — add comma-separated secrets to
KIRIMDEV_WEBHOOK_SECRETSduring overlap; see Verifying Signatures.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Likely cause | Fix |
|---|---|---|
401 on webhook | Wrong whsec_ | Match KIRIMDEV_WEBHOOK_SECRETS to subscription |
| Inbound logged, no reply | Sender is unknown tier | Add to KIRIMDEV_OWNER_USERS or approve via WA button |
phone_number_id not enabled | ID mismatch | Fix KIRIMDEV_ENABLED_NUMBERS |
| No typing indicator | API or plugin version | Plugin v1.0.0+; Kirimdev API with typing-on-read support |
502 from nginx | Gateway down | systemctl --user status hermes-gateway |
Related
Section titled “Related”- Hermes overview — architecture, use cases, MCP comparison
- Receive messages — webhook payload shape
- Mark as read — read receipts + typing indicator API
- MCP Setup — assistant-driven integration (no VPS gateway)