Skip to content
Hermes Agent

Hermes Setup

This page gets a Hermes + Kirimdev gateway running. For nginx, SSL, systemd, and hardening, follow the plugin’s production DEPLOY.md after the steps below.

ItemNotes
Kirimdev accountWhatsApp Cloud API number connected
API keykdv_live_… from Dashboard → Settings → API Keys
phone_number_idMeta business phone number ID (Settings → WhatsApp number)
Hermes Agentv0.14.0+ with an LLM provider configured (hermes doctor)
Public HTTPS URLDedicated subdomain pointing at your gateway (production)
  1. Install Hermes Agent on your server or dev machine.

    Follow the official Hermes install guide, then verify:

    Terminal window
    hermes --version
    hermes doctor
  2. Copy the Kirimdev plugin into Hermes’ plugin directory.

    Terminal window
    git clone https://github.com/kirimdev/kirimdev-hermes.git
    cp -r kirimdev-hermes/kirimdev-platform ~/.hermes/plugins/kirimdev-platform
    hermes plugins enable kirimdev-platform

    Install Python deps in the Hermes environment:

    Terminal window
    pip install aiohttp httpx
    # or: ~/.hermes/hermes-agent/venv/bin/pip install aiohttp httpx
  3. Set required configuration.

    Terminal window
    hermes config set KIRIMDEV_API_KEY kdv_live_xxxxxxxx
    hermes config set KIRIMDEV_ENABLED_NUMBERS 123456789012345
    hermes config set KIRIMDEV_DEFAULT_PHONE_NUMBER_ID 123456789012345
    hermes config set KIRIMDEV_PUBLIC_URL https://hermes-webhooks.example.com
    hermes config set KIRIMDEV_OWNER_USERS 628123456789
    VariableRequiredPurpose
    KIRIMDEV_API_KEYPublic API bearer token
    KIRIMDEV_WEBHOOK_SECRETSSet after Step 5 (whsec_…)
    KIRIMDEV_ENABLED_NUMBERSComma-separated phone_number_id values Hermes may operate
    KIRIMDEV_DEFAULT_PHONE_NUMBER_IDRecommendedDefault sender for cron / CLI
    KIRIMDEV_PUBLIC_URLRecommendedPublic base URL (no /webhook suffix)
    KIRIMDEV_OWNER_USERSRecommendedOwner phones (digits, no +)
    KIRIMDEV_ALLOWED_USERSOptionalWhitelist for instant replies
    KIRIMDEV_OWNER_FULL_AGENTOptionalDefault truesee overview
    KIRIMDEV_API_BASE_URLOptionalDefault https://api.kirimdev.com/v1 — leave unset for production
  4. Start the gateway.

    Terminal window
    hermes gateway run
    # production: systemd user unit — see plugin DEPLOY.md

    Verify locally:

    Terminal window
    curl -s http://127.0.0.1:8646/health
    # {"status":"ok","platform":"kirimdev","channel":"whatsapp"}
  5. Create a Kirimdev webhook subscription pointing at your gateway.

    Dashboard → Settings → Webhooks → create subscription:

    • URL: https://hermes-webhooks.example.com/webhook
    • Events: message.received

    Copy the signing secret (whsec_…).

    Configure Hermes and restart:

    Terminal window
    hermes config set KIRIMDEV_WEBHOOK_SECRETS whsec_xxxxxxxx
    systemctl --user restart hermes-gateway # if using systemd
  6. Smoke test.

    Send a WhatsApp message from a number listed in KIRIMDEV_OWNER_USERS to your business line. You should see inbound logs and an agent reply.

    If nothing responds, check tier config — unknown senders require owner approval. See Authorization tiers in the overview.

  • nginx reverse-proxy 443 → 127.0.0.1:8646; do not expose :8646 publicly.
  • TLS via Let’s Encrypt (certbot).
  • systemd user unit with Restart=on-failure — template in hermes-gateway.service.
  • Firewall — allow 80/443 only.
  • Secret rotation — add comma-separated secrets to KIRIMDEV_WEBHOOK_SECRETS during overlap; see Verifying Signatures.
SymptomLikely causeFix
401 on webhookWrong whsec_Match KIRIMDEV_WEBHOOK_SECRETS to subscription
Inbound logged, no replySender is unknown tierAdd to KIRIMDEV_OWNER_USERS or approve via WA button
phone_number_id not enabledID mismatchFix KIRIMDEV_ENABLED_NUMBERS
No typing indicatorAPI or plugin versionPlugin v1.0.0+; Kirimdev API with typing-on-read support
502 from nginxGateway downsystemctl --user status hermes-gateway