Skip to main content

Web Dashboard

The web dashboard is a browser-based UI for managing your Hermes Agent installation. Instead of editing YAML files or running CLI commands, you can configure settings, manage API keys, and monitor sessions from a clean web interface.

tip

Hosted-mode auth uses Nous Portal OAuth; if you also want the dashboard to talk to a real backend, hermes setup --portal wires up the model and tool gateway too. See Nous Portal.

Quick Start

hermes dashboard

This starts a local web server and opens http://127.0.0.1:9119 in your browser. The dashboard runs entirely on your machine — no data leaves localhost.

Options

FlagDefaultDescription
--port9119Port to run the web server on
--host127.0.0.1Bind address
--no-openDon't auto-open the browser
--insecureoffAllow binding to non-localhost hosts (DANGEROUS — exposes API keys on the network; pair with a firewall and strong auth)
--tuioffExpose the in-browser Chat tab (embedded hermes --tui via PTY/WebSocket). Alternatively set HERMES_DASHBOARD_TUI=1.
# Custom port
hermes dashboard --port 8080

# Bind to all interfaces (use with caution on shared networks)
hermes dashboard --host 0.0.0.0

# Start without opening browser
hermes dashboard --no-open

# Enable the in-browser Chat tab
hermes dashboard --tui

Prerequisites

The default hermes-agent install does not ship the HTTP stack or PTY helper — those are optional extras. The web dashboard needs FastAPI and Uvicorn (web extra). The Chat tab also needs ptyprocess to spawn the embedded TUI behind a pseudo-terminal (pty extra on POSIX). Install both with:

pip install 'hermes-agent[web,pty]'

The web extra pulls in FastAPI/Uvicorn; pty pulls in ptyprocess (POSIX) or pywinpty (native Windows — note that the embedded TUI itself still requires WSL). pip install hermes-agent[all] includes both extras and is the easiest path if you also want messaging/voice/etc.

When you run hermes dashboard without the dependencies, it will tell you what to install. If the frontend hasn't been built yet and npm is available, it builds automatically on first launch.

The Chat tab is intentionally off for a plain hermes dashboard launch. Start the dashboard with hermes dashboard --tui or set HERMES_DASHBOARD_TUI=1 when you want the embedded browser chat pane.

Pages

Status

The landing page shows a live overview of your installation:

  • Agent version and release date
  • Gateway status — running/stopped, PID, connected platforms and their state
  • Active sessions — count of sessions active in the last 5 minutes
  • Recent sessions — list of the 20 most recent sessions with model, message count, token usage, and a preview of the conversation

The status page auto-refreshes every 5 seconds.

Chat

The Chat tab embeds the full Hermes TUI (the same interface you get from hermes --tui) directly in the browser. Everything you can do in the terminal TUI — slash commands, model picker, tool-call cards, markdown streaming, clarify/sudo/approval prompts, skin theming — works identically here, because the dashboard is running the real TUI binary and rendering its ANSI output through xterm.js with its WebGL renderer for pixel-perfect cell layout.

How it works:

  • /api/pty opens a WebSocket authenticated with the dashboard's session token
  • The server spawns hermes --tui behind a POSIX pseudo-terminal
  • Keystrokes travel to the PTY; ANSI output streams back to the browser
  • xterm.js's WebGL renderer paints each cell to an integer-pixel grid; mouse tracking (SGR 1006), wide characters (Unicode 11), and box-drawing glyphs all render natively
  • Resizing the browser window resizes the TUI via the @xterm/addon-fit addon

Resume an existing session: from the Sessions tab, click the play icon (▶) next to any session. That jumps to /chat?resume=<id> and launches the TUI with --resume, loading the full history.

Prerequisites:

  • Node.js (same requirement as hermes --tui; the TUI bundle is built on first launch)
  • ptyprocess — installed by the pty extra (pip install 'hermes-agent[web,pty]', or [all] covers both)
  • POSIX kernel (Linux, macOS, or WSL2). The /chat terminal pane specifically needs a POSIX PTY — native Windows Python has no equivalent, so on a native Windows install the rest of the dashboard (sessions, jobs, metrics, config editor) works but the /chat tab will show a banner telling you to use WSL2 for that feature.

Close the browser tab and the PTY is reaped cleanly on the server. Re-opening spawns a fresh session.

Config

A form-based editor for config.yaml. All 150+ configuration fields are auto-discovered from DEFAULT_CONFIG and organized into tabbed categories:

  • model — default model, provider, base URL, reasoning settings
  • terminal — backend (local/docker/ssh/modal), timeout, shell preferences
  • display — skin, tool progress, resume display, spinner settings
  • agent — max iterations, gateway timeout, service tier
  • delegation — subagent limits, reasoning effort
  • memory — provider selection, context injection settings
  • approvals — dangerous command approval mode (ask/yolo/deny)
  • And more — every section of config.yaml has corresponding form fields

Fields with known valid values (terminal backend, skin, approval mode, etc.) render as dropdowns. Booleans render as toggles. Everything else is a text input.

Actions:

  • Save — writes changes to config.yaml immediately
  • Reset to defaults — reverts all fields to their default values (doesn't save until you click Save)
  • Export — downloads the current config as JSON
  • Import — uploads a JSON config file to replace the current values
tip

Config changes take effect on the next agent session or gateway restart. The web dashboard edits the same config.yaml file that hermes config set and the gateway read from.

API Keys

Manage the .env file where API keys and credentials are stored. Keys are grouped by category:

  • LLM Providers — OpenRouter, Anthropic, OpenAI, DeepSeek, etc.
  • Tool API Keys — Browserbase, Firecrawl, Tavily, ElevenLabs, etc.
  • Messaging Platforms — Telegram, Discord, Slack bot tokens, etc.
  • Agent Settings — non-secret env vars like API_SERVER_ENABLED

Each key shows:

  • Whether it's currently set (with a redacted preview of the value)
  • A description of what it's for
  • A link to the provider's signup/key page
  • An input field to set or update the value
  • A delete button to remove it

Advanced/rarely-used keys are hidden by default behind a toggle.

Sessions

Browse and inspect all agent sessions. Each row shows the session title, source platform icon (CLI, Telegram, Discord, Slack, cron), model name, message count, tool call count, and how long ago it was active. Live sessions are marked with a pulsing badge.

  • Search — full-text search across all message content using FTS5. Results show highlighted snippets and auto-scroll to the first matching message when expanded.
  • Expand — click a session to load its full message history. Messages are color-coded by role (user, assistant, system, tool) and rendered as Markdown with syntax highlighting.
  • Tool calls — assistant messages with tool calls show collapsible blocks with the function name and JSON arguments.
  • Delete — remove a session and its message history with the trash icon.

Logs

View agent, gateway, and error log files with filtering and live tailing.

  • File — switch between agent, errors, and gateway log files
  • Level — filter by log level: ALL, DEBUG, INFO, WARNING, or ERROR
  • Component — filter by source component: all, gateway, agent, tools, cli, or cron
  • Lines — choose how many lines to display (50, 100, 200, or 500)
  • Auto-refresh — toggle live tailing that polls for new log lines every 5 seconds
  • Color-coded — log lines are colored by severity (red for errors, yellow for warnings, dim for debug)

Analytics

Usage and cost analytics computed from session history. Select a time period (7, 30, or 90 days) to see:

  • Summary cards — total tokens (input/output), cache hit percentage, total estimated or actual cost, and total session count with daily average
  • Daily token chart — stacked bar chart showing input and output token usage per day, with hover tooltips showing breakdowns and cost
  • Daily breakdown table — date, session count, input tokens, output tokens, cache hit rate, and cost for each day
  • Per-model breakdown — table showing each model used, its session count, token usage, and estimated cost

Cron

Create and manage scheduled cron jobs that run agent prompts on a recurring schedule.

  • Create — fill in a name (optional), prompt, cron expression (e.g. 0 9 * * *), and delivery target (local, Telegram, Discord, Slack, or email)
  • Job list — each job shows its name, prompt preview, schedule expression, state badge (enabled/paused/error), delivery target, last run time, and next run time
  • Pause / Resume — toggle a job between active and paused states
  • Trigger now — immediately execute a job outside its normal schedule
  • Delete — permanently remove a cron job

Skills

Browse, search, and toggle skills and toolsets. Skills are loaded from ~/.hermes/skills/ and grouped by category.

  • Search — filter skills and toolsets by name, description, or category
  • Category filter — click category pills to narrow the list (e.g. MLOps, MCP, Red Teaming, AI)
  • Toggle — enable or disable individual skills with a switch. Changes take effect on the next session.
  • Toolsets — a separate section shows built-in toolsets (file operations, web browsing, etc.) with their active/inactive status, setup requirements, and list of included tools
Security

The web dashboard reads and writes your .env file, which contains API keys and secrets. It binds to 127.0.0.1 by default — only accessible from your local machine. If you bind to 0.0.0.0, anyone on your network can view and modify your credentials. The dashboard has no authentication of its own.

/reload Slash Command

The dashboard PR also adds a /reload slash command to the interactive CLI. After changing API keys via the web dashboard (or by editing .env directly), use /reload in an active CLI session to pick up the changes without restarting:

You → /reload
  Reloaded .env (3 var(s) updated)

This re-reads ~/.hermes/.env into the running process's environment. Useful when you've added a new provider key via the dashboard and want to use it immediately.

REST API

The web dashboard exposes a REST API that the frontend consumes. You can also call these endpoints directly for automation:

GET /api/status

Returns agent version, gateway status, platform states, and active session count.

GET /api/sessions

Returns the 20 most recent sessions with metadata (model, token counts, timestamps, preview).

GET /api/config

Returns the current config.yaml contents as JSON.

GET /api/config/defaults

Returns the default configuration values.

GET /api/config/schema

Returns a schema describing every config field — type, description, category, and select options where applicable. The frontend uses this to render the correct input widget for each field.

PUT /api/config

Saves a new configuration. Body: {"config": {...}}.

GET /api/env

Returns all known environment variables with their set/unset status, redacted values, descriptions, and categories.

PUT /api/env

Sets an environment variable. Body: {"key": "VAR_NAME", "value": "secret"}.

DELETE /api/env

Removes an environment variable. Body: {"key": "VAR_NAME"}.

GET /api/sessions/{session_id}

Returns metadata for a single session.

GET /api/sessions/{session_id}/messages

Returns the full message history for a session, including tool calls and timestamps.

GET /api/sessions/search

Full-text search across message content. Query parameter: q. Returns matching session IDs with highlighted snippets.

DELETE /api/sessions/{session_id}

Deletes a session and its message history.

GET /api/logs

Returns log lines. Query parameters: file (agent/errors/gateway), lines (count), level, component.

GET /api/analytics/usage

Returns token usage, cost, and session analytics. Query parameter: days (default 30). Response includes daily breakdowns and per-model aggregates.

GET /api/cron/jobs

Returns all configured cron jobs with their state, schedule, and run history.

POST /api/cron/jobs

Creates a new cron job. Body: {"prompt": "...", "schedule": "0 9 * * *", "name": "...", "deliver": "local"}.

POST /api/cron/jobs/{job_id}/pause

Pauses a cron job.

POST /api/cron/jobs/{job_id}/resume

Resumes a paused cron job.

POST /api/cron/jobs/{job_id}/trigger

Immediately triggers a cron job outside its schedule.

DELETE /api/cron/jobs/{job_id}

Deletes a cron job.

GET /api/skills

Returns all skills with their name, description, category, and enabled status.

PUT /api/skills/toggle

Enables or disables a skill. Body: {"name": "skill-name", "enabled": true}.

GET /api/tools/toolsets

Returns all toolsets with their label, description, tools list, and active/configured status.

OAuth Authentication (gated mode)

When the dashboard is bound to a public address — anything other than 127.0.0.1 / localhost — Hermes Agent engages an OAuth-based auth gate. Every request must carry a verified session cookie or it's bounced through a full OAuth round-trip via the Nous Portal.

This is intended for hosted deployments (typically Fly.io) where the dashboard is reachable over the public internet. Operator-owned dashboards bound to loopback are unaffected.

When the gate engages

FlagsAuth gateUse case
hermes dashboard (default — binds to 127.0.0.1)OFFLocal development
hermes dashboard --host 0.0.0.0ONProduction / Fly.io deployment
hermes dashboard --host 192.168.1.10 --insecureOFFTrusted LAN; user opts into legacy session-token auth

The gate is on if and only if:

  1. The bind host is not 127.0.0.1, ::1, localhost, or 0.0.0.0 AND
  2. The --insecure flag is not set.

Setting --insecure keeps the existing single-process session-token behaviour — no OAuth dance, no provider plugins required. Use only on networks where you trust every client.

Fail-closed semantics

If the gate would engage but no DashboardAuthProvider is registered (no Nous plugin, no custom plugin), hermes dashboard refuses to bind with an explicit error message. There is no "default-deny but accept everything" fallback — a misconfigured gated dashboard never starts.

Default provider: Nous Research

The bundled plugins/dashboard_auth/nous plugin is always installed and auto-loaded. It auto-registers a DashboardAuthProvider named nous when a client ID is configured.

Configuration

The plugin reads from two surfaces, with the environment variable winning when set non-empty:

config.yaml — the canonical surface:

dashboard:
  oauth:
    client_id: agent:01HXYZ…             # required to engage the gate
    portal_url: https://portal.nousresearch.com  # optional; defaults to production

Environment variables — operator overrides:

Env varOverridesFormatProvisioned by
HERMES_DASHBOARD_OAUTH_CLIENT_IDdashboard.oauth.client_idagent:{instance_id}Nous Portal at Fly.io provisioning time
HERMES_DASHBOARD_PORTAL_URLdashboard.oauth.portal_urlURL (default: https://portal.nousresearch.com)Portal — override only for staging or a custom deployment

Per the Hermes Agent convention (~/.hermes/.env is for API keys / secrets only), config.yaml is the recommended place to set these values for local dev, on-prem, and any deployment you control directly. The environment-variable path exists so Fly.io's platform-secret injection can push per-deploy client_ids without anyone having to edit config.yaml inside the image — that's its primary purpose.

Empty environment values are treated as unset, so a provisioned-but-not-populated Fly secret can't accidentally shadow a valid config.yaml entry.

If neither source provides a client_id, the plugin reports the specific reason and the dashboard's fail-closed bind error tells you exactly what to fix:

Refusing to bind dashboard to 0.0.0.0 — the OAuth auth gate engages on
non-loopback binds, but no auth providers are registered.

Bundled providers reported these issues:
  • nous: HERMES_DASHBOARD_OAUTH_CLIENT_ID is not set (and
    dashboard.oauth.client_id in config.yaml is empty). The Nous Portal
    provisions this env var (shape 'agent:{instance_id}') when it
    deploys a Hermes Agent instance — set it to your provisioned
    client id (either as an env var or under dashboard.oauth.client_id
    in config.yaml), or pass --insecure to skip the OAuth gate entirely.

Or pass --insecure to skip the auth gate (NOT recommended on untrusted
networks).

Public URL override

By default, the dashboard reconstructs the OAuth callback URL from the request — X-Forwarded-Host + X-Forwarded-Proto + X-Forwarded-Prefix (when uvicorn is configured with proxy_headers=True, which start_server enables under the gate). This works out of the box on Fly.io, which sets all three headers correctly.

For deploys behind reverse proxies that don't reliably forward those headers (manual nginx setups, on-prem ingresses, custom-domain Fly deploys with partial proxy chains), set dashboard.public_url (or HERMES_DASHBOARD_PUBLIC_URL) to the complete public URL the dashboard is reached at:

dashboard:
  public_url: "https://dashboard.example.com/hermes"

When set, the OAuth callback URL becomes <public_url>/auth/callback verbatim — X-Forwarded-Prefix is ignored on that code path because the operator has explicitly declared the public URL. This is intentional: stacking the prefix on top would double-prefix the common case where the prefix is already baked into public_url.

Same precedence as the other dashboard settings — env wins over config.yaml:

SurfaceOverride pathWhen to use
dashboard.public_url in config.yamlHERMES_DASHBOARD_PUBLIC_URLLocal dev / on-prem (canonical)
HERMES_DASHBOARD_PUBLIC_URL env varFly.io platform secrets / CI
(unset)Default — reconstruct from X-Forwarded-* headers

Validation rejects values without http:// / https:// scheme, without a host, or containing quote / angle / whitespace / control characters. A malformed value silently falls through to header reconstruction so the login flow keeps working rather than dispatching the user to a hostile URL.

Note: public_url overrides the OAuth callback URL only. The Secure cookie flag is still controlled by request.url.scheme (X-Forwarded-Proto under proxy_headers), so an http:// public_url on a TLS-terminated public deploy will produce non-Secure cookies. This is an operator footgun — pair public_url with proper TLS termination upstream.

OAuth flow

The provider implements the Nous Portal OAuth contract v1 — authorization-code grant with PKCE (S256):

  1. User hits / without a session cookie → gate redirects to /login.
  2. Login page shows a "Continue with Nous Research" button → /auth/login?provider=nous.
  3. Server stashes PKCE state in a short-lived cookie, redirects user to https://portal.nousresearch.com/oauth/authorize?….
  4. User authenticates with Portal, lands at /auth/callback?code=…&state=….
  5. Server exchanges the code for an access token at POST /api/oauth/token, verifies the JWT signature against the Portal's JWKS (/.well-known/jwks.json), and sets the hermes_session_at cookie.
  6. User is redirected to / (or to the original deep-link path via the next= query parameter).

Access tokens have a 15-minute TTL. There is no refresh token in contract v1 — when the token expires, the SPA's fetch wrapper detects the 401 envelope and full-page-navigates back to /login to re-run the flow.

Cookies set

NameLifetimeNotes
hermes_session_atToken TTL (15 min)HttpOnly, SameSite=Lax, Secure-when-HTTPS
hermes_session_pkce10 minHttpOnly; holds the PKCE verifier + provider hint during the round trip
hermes_session_rtunused in v1Reserved for forward-compat; not written when refresh_token is empty

All three are Path=/ and SameSite=Lax. The Secure flag is set when the dashboard is reached over HTTPS (detected via the request URL scheme — honours X-Forwarded-Proto from Fly's TLS terminator under proxy_headers=True).

Logout

The sidebar widget shows Logged in as <user_id…> via nous with a logout icon. Clicking it POSTs /auth/logout, which clears all dashboard-auth cookies and redirects back to /login.

Audit log

Every login start, success, failure, and session-verify failure is written as a JSON line to $HERMES_HOME/logs/dashboard-auth.log. Sensitive fields (access_token, refresh_token, code, code_verifier, state, Authorization header) are redacted before logging.

Custom providers

To plug a non-Nous OAuth provider (e.g. Google, GitHub, custom OIDC), create a plugin that registers a DashboardAuthProvider:

# ~/.hermes/plugins/dashboard-auth-myidp/__init__.py
from hermes_cli.dashboard_auth import DashboardAuthProvider, Session, LoginStart

class MyIdPProvider(DashboardAuthProvider):
    name = "myidp"
    display_name = "My Identity Provider"

    def start_login(self, *, redirect_uri): ...
    def complete_login(self, *, code, state, code_verifier, redirect_uri): ...
    def verify_session(self, *, access_token): ...
    def refresh_session(self, *, refresh_token): ...
    def revoke_session(self, *, refresh_token): ...

def register(ctx):
    ctx.register_dashboard_auth_provider(MyIdPProvider())

The login page lists all registered providers; multiple providers can be stacked and the user picks one at /login.

Verifying the gate is on

# Quick env-var path (Fly.io shape). HERMES_DASHBOARD_PORTAL_URL is
# optional — defaults to production.
HERMES_DASHBOARD_OAUTH_CLIENT_ID=agent:test \
  hermes dashboard --host 0.0.0.0

# Or the equivalent via config.yaml (recommended for local dev / on-prem):
#
#   dashboard:
#     oauth:
#       client_id: agent:test
#
# then just:
hermes dashboard --host 0.0.0.0

# Hit /api/status to see the gate state:
curl -s http://127.0.0.1:9119/api/status | jq '.auth_required, .auth_providers'
# true
# ["nous"]

The dashboard's React StatusPage shows the same fields under "Web server". A sidebar AuthWidget surfaces the current identity once you've signed in.

CORS

The web server restricts CORS to localhost origins only:

  • http://localhost:9119 / http://127.0.0.1:9119 (production)
  • http://localhost:3000 / http://127.0.0.1:3000
  • http://localhost:5173 / http://127.0.0.1:5173 (Vite dev server)

If you run the server on a custom port, that origin is added automatically.

Development

If you're contributing to the web dashboard frontend:

# Terminal 1: start the backend API
hermes dashboard --no-open

# Terminal 2: start the Vite dev server with HMR
cd web/
npm install
npm run dev

The Vite dev server at http://localhost:5173 proxies /api requests to the FastAPI backend at http://127.0.0.1:9119.

The frontend is built with React 19, TypeScript, Tailwind CSS v4, and shadcn/ui-style components. Production builds output to hermes_cli/web_dist/ which the FastAPI server serves as a static SPA.

Automatic Build on Update

When you run hermes update, the web frontend is automatically rebuilt if npm is available. This keeps the dashboard in sync with code updates. If npm isn't installed, the update skips the frontend build and hermes dashboard will build it on first launch.

Themes & plugins

The dashboard ships with six built-in themes and can be extended with user-defined themes, plugin tabs, and backend API routes — all drop-in, no repo clone needed.

Switch themes live from the header bar — click the palette icon next to the language switcher. Selection persists to config.yaml under dashboard.theme and is restored on page load.

Built-in themes:

ThemeCharacter
Hermes Teal (default)Dark teal + cream, system fonts, comfortable spacing
Hermes Teal (Large) (default-large)Same as default with 18px text and roomier spacing
Midnight (midnight)Deep blue-violet, Inter + JetBrains Mono
Ember (ember)Warm crimson + bronze, Spectral serif + IBM Plex Mono
Mono (mono)Grayscale, IBM Plex, compact
Cyberpunk (cyberpunk)Neon green on black, Share Tech Mono
Rosé (rose)Pink + ivory, Fraunces serif, spacious

To build your own theme, add a plugin tab, inject into shell slots, or expose plugin-specific REST endpoints, see Extending the Dashboard — the complete guide covers:

  • Theme YAML schema — palette, typography, layout, assets, componentStyles, colorOverrides, customCSS
  • Layout variants — standard, cockpit, tiled
  • Plugin manifest, SDK, shell slots, page-scoped slots (inject widgets into built-in pages without overriding them), backend FastAPI routes
  • A full combined theme-plus-plugin walkthrough (Strike Freedom cockpit demo)
  • Discovery, reload, and troubleshooting