Setting up Hermes
This walks a self-managed team through turning Hermes on your own machine into an AI employee connected to HQ. If cln.work runs your infrastructure, you do not need this page, we set Hermes up for you.
Note
Choose Hermes as the runtime when you create or reconfigure the AI employee, then generate and download the bundle for your operating system. Everything below assumes you already have that download. See Creating an AI employee for the wizard walkthrough.
What you need
-
Hermes installed for your OS. Follow the upstream install instructions at the link above.
-
A model provider. Hermes does not ship one, so pick one of:
- Zero-config: run
hermes setup --portaland follow the prompts. This provisions a model through the Hermes portal with no key management on your side. - Bring your own key: configure any provider Hermes supports directly in
~/.hermes/config.yaml(Anthropic, OpenAI, and so on) using your own API key.
Either way, the model must support a context window of at least 64k tokens, Hermes' memory and compaction behavior assumes it. We only ever supply the HQ MCP key, the model provider is entirely on you.
- Zero-config: run
Install
Run the steps in order, each one assumes the previous step finished:
-
Install Hermes for your OS.
-
Set up a model provider as described above, then confirm it works:
hermes doctor -
Run the install script from the extracted bundle.
bash install.sh # Mac / Linux.\install.ps1 # Windows
The install script performs these steps, in this exact order, because Hermes does not hot-reload its config file, everything that writes config has to finish before anything that reads it:
- Preflight checks that
hermesis on your PATH and that a model provider is configured. - Writes secrets to your
.env: your HQ API key, and Slack tokens if you provide them. - Copies
SOUL.mdand the skill files into$HERMES_HOME. - Merges config by running
hermes/merge-config.py, which deep-merges thehqMCP server block and Slack platform settings into your~/.hermes/config.yamlwithout touching anything else already in that file. It is idempotent, safe to re-run after every bundle re-download. - Runs
hermes doctorto validate the now-final config. - Runs
hermes mcp test hqto confirm the MCP connection specifically works. - Registers scheduled work with
hermes cron. - Starts or restarts the Slack gateway last of all, so it always comes up against the final, fully-merged config rather than restarting again a moment later.
Warning
Config changes need a restart. Whether the change came from merge-config.py or a
manual edit to config.yaml, run hermes gateway restart afterward, Hermes does not
pick up config changes on its own.
Slack
Hermes talks to Slack over Socket Mode, which needs a Slack app created with Socket Mode enabled and both of these tokens:
SLACK_BOT_TOKEN, thexoxb-...bot token from the app's OAuth & Permissions page.SLACK_APP_TOKEN, thexapp-...app-level token, required for Socket Mode's real-time event delivery.
SLACK_ALLOWED_USERS is also required, and it is easy to miss. The Hermes
gateway denies every inbound Slack message by default until you set this to a
comma-separated list of the Slack user IDs allowed to message the employee. Valid bot
and app tokens are not enough on their own, without this variable populated, Slack
messages are simply dropped with no error shown anywhere, which makes it look like
the integration is broken when it is actually just refusing all senders.
Scheduled work
Hermes has its own native scheduler, the install script registers your employee's jobs with it directly (no OS-level cron or Task Scheduler involved on Mac or Linux). Inspect what is registered at any time with:
hermes cron list
The heartbeat runs hourly by default. Any morning brief, end-of-day report, or weekly summary jobs you enabled in the wizard, plus any module-defined cron jobs your enrolled modules add, are registered the same way.
Running multiple employees on one machine
Hermes supports profiles for exactly this: give each employee its own
HERMES_HOME directory (for example ~/.hermes-<employee-slug>) so their configs,
memory, and credentials never collide. Set HERMES_HOME before invoking hermes for
that employee, or use hermes's --profile flag if your version supports it, check
hermes --help.
Windows
Hermes does not support installing the gateway as a Windows service. On Windows:
- Run
hermes gateway rundirectly in a terminal window and leave it open (a Windows Terminal tab you keep alive works well). - Scheduled work still runs independently of the gateway, the heartbeat and other
cron jobs registered with
hermes cronfire on schedule whether or not the gateway is running. Only real-time Slack delivery needs the foreground gateway process.
Troubleshooting
- "401 from HQ": check your API key environment variable matches the key shown on the HQ AI Employees page.
- Slack messages silently dropped: check
SLACK_ALLOWED_USERSis set, Hermes denies by default. - Config changes not taking effect: run
hermes gateway restart, Hermes does not hot-reloadconfig.yaml. merge-config.pyfails with an ImportError: runpip install pyyaml.
Renaming your employee requires a bundle re-download
If you rename the employee in HQ, download a fresh bundle and re-run the install and merge steps. The MCP URL, the API key's environment variable name, and the skills directory are all derived from the employee's name at the moment the bundle was generated, editing them by hand instead of redownloading will drift out of sync with HQ.
Switching runtimes
If you are moving this employee off Hermes onto a different runtime:
- Stop the gateway, then uninstall it:
hermes gateway stop, followed by removing the service Hermes installed for it. - Remove the scheduled jobs Hermes registered for this employee:
hermes cron removefor the heartbeat and any module-defined jobs (seehermes cron listfor the exact names). - Remove the
mcp_servers.hqblock from~/.hermes/config.yaml. - Delete the
skills/hqfolder from your Hermes home. - Remove the env lines the installer wrote from the Hermes env file: the HQ API
key variable and, if you configured Slack,
SLACK_BOT_TOKEN,SLACK_APP_TOKEN, andSLACK_ALLOWED_USERS. Find the file withhermes config env-path(it defaults to~/.hermes/.env). - Switch the runtime in HQ's wizard and download the new bundle.