How the gateway works
A single hermes gateway process handles all connected platforms simultaneously. You run it once and it listens on all configured channels. The gateway delivers messages to the agent, runs the inference loop, and sends responses back to the originating platform.
Security is opt-in per platform. Every platform has an ALLOWED_USERS environment variable that acts as a whitelist. Without it, the gateway accepts messages from anyone who finds your bot. That's a serious problem for an agent with shell access. Set allowlists before exposing any gateway publicly.
The alternative to manual allowlists is DM pairing codes: unknown users message your bot and receive a one-time pairing code that expires after one hour. You approve it with hermes pairing approve <platform> <code>. This is more scalable than maintaining allowlists for multiple users.
Telegram
Telegram is the most commonly used Hermes gateway. Setup:
- Message @BotFather in Telegram → send
/newbot→ follow prompts → copy the token - Message @userinfobot to get your numeric user ID
- Add to
~/.hermes/.env:
TELEGRAM_BOT_TOKEN=1234567890:AAF...
TELEGRAM_ALLOWED_USERS=123456789
# Multiple users: TELEGRAM_ALLOWED_USERS=123456789,987654321
- Test manually:
hermes gateway - Install as service:
hermes gateway install
Or use the interactive setup wizard:
hermes gateway setup
For webhook mode instead of long-polling (more reliable, lower latency):
TELEGRAM_WEBHOOK_URL=https://your-domain.com/webhooks/telegram
You need a public HTTPS endpoint for webhook mode. Long-polling works fine for personal use without a domain.
Group chat access is disabled by default. If you want Hermes responding in a Telegram group, add TELEGRAM_ALLOW_GROUPS=true and be aware that everyone in the group who is in your allowlist can issue commands.
Discord
Discord support includes slash commands, thread responses, and voice channel transcription. Setup:
- Go to discord.com/developers/applications → New Application → name it
- Bot tab → Add Bot → copy the token
- OAuth2 tab → URL Generator → select
botandapplications.commandsscopes,Send Messages+Read Message History+Use Slash Commandspermissions → copy and visit the generated URL to add the bot to your server - Enable Message Content Intent in the Bot tab (required for reading messages)
- Add to
.env:
DISCORD_BOT_TOKEN=MTq...
DISCORD_ALLOWED_USERS=123456789012345678 # Discord user ID (18 digits)
DISCORD_ALLOWED_GUILDS=987654321098765432 # Optional: restrict to specific server
Discord voice channel integration uses voice recognition to transcribe speech and pass it to the agent. This requires the voice dependencies:
hermes install --extras voice
The agent responds in text by default. Voice output (text-to-speech back into the voice channel) is supported with additional config — check the official docs for TTS provider setup.
For slash commands (typing /ask instead of mentioning the bot), the bot registers its commands automatically on first connection. If slash commands don't appear, kick and re-add the bot to the server to force a command re-registration.
WhatsApp integration uses the Baileys library — an unofficial bridge that emulates the WhatsApp Web session protocol. No Meta developer account is required, and no WhatsApp Business API verification is needed. The tradeoff: it is unofficial, and WhatsApp can restrict accounts that automate message sending.
Setup:
hermes whatsapp
The wizard will:
- Install the Baileys bridge dependencies (requires Node.js v18+)
- Display a QR code in the terminal
- You scan it: WhatsApp → Settings → Linked Devices → Link a Device
- Session saves automatically
Two modes:
- Separate bot number (recommended): dedicate a phone number to the bot. Lower ban risk, cleaner UX for multiple users.
- Personal self-chat: use your own WhatsApp number, message yourself to talk to the agent. Easier to set up, more account risk.
The main risk: WhatsApp's terms prohibit unofficial automation. For personal use, ban risk is low. For anything resembling bulk messaging or contacting people who haven't opted in, the risk is significant. The official WhatsApp Business API (which Hermes does not use) is the compliant alternative for business use cases.
The email gateway uses standard IMAP (inbound) and SMTP (outbound). No external libraries — it uses Python's built-in imaplib, smtplib, and email modules.
For Gmail:
# First: Enable 2FA on your Google account
# Then: myaccount.google.com/apppasswords → create app password for Mail
EMAIL_ADDRESS=hermes@gmail.com
EMAIL_PASSWORD=xxxx-xxxx-xxxx-xxxx # 16-char app password, NOT your Gmail password
EMAIL_IMAP_HOST=imap.gmail.com
EMAIL_SMTP_HOST=smtp.gmail.com
EMAIL_ALLOWED_USERS=you@yourdomain.com,colleague@work.com
For Outlook/Microsoft 365:
EMAIL_IMAP_HOST=outlook.office365.com
EMAIL_SMTP_HOST=smtp.office365.com
# App password: account.microsoft.com/security → Additional security options
Ports default to IMAP 993 (TLS) and SMTP 587 (STARTTLS). Most providers work with just the host names — override with EMAIL_IMAP_PORT and EMAIL_SMTP_PORT if needed.
The gateway polls IMAP for new messages. Use a dedicated email account, not your personal inbox — the gateway reads and processes all incoming email to that address.
Webhooks
The webhook gateway runs an HTTP server on port 8644 and accepts POST requests, letting you connect Hermes to any service that can send webhook events: GitHub, GitLab, JIRA, Stripe, or anything custom.
WEBHOOK_ENABLED=true
WEBHOOK_PORT=8644
WEBHOOK_SECRET=your-global-secret # Used for HMAC signature validation
Create a named route:
hermes webhook subscribe
Endpoint format: http://your-server:8644/webhooks/<route-name>
Health check: curl http://localhost:8644/health
Common use cases: receive GitHub PR review requests and have the agent write a summary; process JIRA ticket updates; handle Stripe payment events and trigger follow-up actions. The agent receives the webhook payload, interprets it, and can use any of its tools (file access, shell, browser) to respond.
The other 9 platforms
The complete list of Hermes Agent gateways confirmed by the official documentation (15 total, not 12):
- Telegram — most popular, long-polling or webhook mode
- Discord — slash commands, voice channel, thread support
- Slack — Slack app with OAuth, works in DMs and channels
- WhatsApp — Baileys bridge, unofficial
- Signal — requires Signal CLI installed and linked phone number
- SMS — Twilio integration, sends/receives SMS
- Email — IMAP/SMTP, any email provider
- Home Assistant — integrates directly with HA as a conversation agent
- Mattermost — self-hosted Slack alternative
- Matrix — decentralized messaging protocol (Element, etc.)
- DingTalk — Alibaba's enterprise messaging platform
- Feishu/Lark — ByteDance enterprise messenger
- WeCom — Tencent's enterprise WeChat variant
- Open WebUI / API Server — HTTP API endpoint for custom frontends or integration with Open WebUI
- Webhooks — generic HTTP webhook receiver
All gateways share the same security model: ALLOWED_USERS allowlist or DM pairing code approval. Global: GATEWAY_ALLOWED_USERS applies across all connected platforms. Per-platform variables override the global setting. Setting GATEWAY_ALLOW_ALL_USERS=true accepts messages from anyone — never do this for a gateway with shell access.
Running multiple gateways simultaneously
One hermes gateway process handles all configured platforms. If you set up both Telegram and Discord credentials, the same agent instance responds on both. A message from Telegram and a message from Discord reach the same agent with the same memory and context.
The built-in cron scheduler runs inside the gateway process, ticking every 60 seconds. Scheduled tasks can deliver to any connected platform — a morning briefing can go to Telegram, a work-hours alert to Slack, and an end-of-day summary to Email.
Token usage is higher through messaging gateways than CLI. The official documentation notes that Telegram adds roughly 15,000-20,000 tokens of overhead per message (vs 6,000-8,000 in CLI) due to AGENTS.md workspace files and additional context. At OpenRouter pricing for Claude Sonnet, that is approximately $0.03-0.06 per message just in overhead. Use hermes tools to disable unused tool categories to reduce the baseline token cost.
Hermes OS and gateway setup
On Hermes OS, gateway configuration is handled through the dashboard — paste your Telegram bot token and user ID, click connect, done. The gateway service is managed, monitored, and restarted automatically. You do not need to manage the hermes gateway install → systemctl → loginctl enable-linger sequence manually.
All 15 gateways are available on Hermes OS. Multi-gateway setup (Telegram + Discord + Email simultaneously) works without any additional configuration beyond adding the credentials for each platform.