Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Network Resilience Recovery Security Immutable Vault Tamper-Evident Audit Pricing
Developers
Developer overviewCLI, SDKs, webhooks InfrastructureDocker, K8s, Terraform, CI/CD. AI AgentsClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP ToolsDatto, NinjaOne, ConnectWise, N-able. Browser extensionAutofill, device-based login, generator Mobile appsNative iOS and Android Claude CodeScoped tokens CodexOpenAI integration CursorAgent mode Hermes AgentHermes Agent by Nous Research OpenClawAgent resolver ImportFrom any password manager
Resources
Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Solutions
Consumer SMB Enterprise MSP
Language
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Sign in Gratuit pour toujours Get started

Guide d'intégration

clavitor + Hermes Agent

Nous Research's open-source autonomous agent runs on your server, remembers what it learns, and gets more capable the longer it runs. Pair it with Clavitor so every credential it touches is scoped, audited, and revocable.

What Hermes sees

Champs partagés

Hermes reads these via the CLI skill to navigate, deploy, and authenticate.

  • API keys (OpenRouter, model providers, GitHub, AWS, Stripe...)
  • Identifiants d'hôte SSH
  • Chaînes de connexion de base de données
  • Graines TOTP — codes 2FA à la demande
  • Mots de passe de compte de service

What Hermes never sees

Champs personnels

Chiffrés côté client avec votre empreinte digitale, votre visage ou votre clé de sécurité. Le serveur stocke le texte chiffré. Aucune clé, aucun accès.

  • Numéros de carte de crédit et CVV
  • Passeports et pièces d'identité gouvernementales
  • Codes de récupération et phrases de récupération
  • Numéros de sécurité sociale
  • Détails de compte bancaire

Hermes runs on your server. So does the CLI.

Hermes installs with one curl on Linux, macOS, or WSL2. It runs continuously, holds curated memory across sessions, and auto-creates skills. Drop the Clavitor CLI on the same host and any skill that needs a credential calls it.

1. Create an agent token

Open your vault → AgentsCreate. Name it "Hermes" and choose which entries it can access. Copy the setup token.

Each agent gets its own scope, rate limits, and audit lineage. Hermes runs as one agent identity; the audit log tags every access as cli:hermes.

2. Initialize the CLI on the Hermes host

$ echo "$CLAVITOR_TOKEN" | clavitor-cli init

3. Resolve credentials inside a skill

Any Hermes skill (Python, Bash, anything it shells out to) reads credentials at the moment it needs them. The secret never lives in Hermes's memory or in its skill source code:

# Inside a Hermes skill
import subprocess
key = subprocess.check_output(
    ["clavitor-cli", "get", "OpenRouter", "--field", "key"]
).decode().strip()
# Use key, scrub it after the call

Gateways — Telegram, Discord, Slack, WhatsApp, Signal

Hermes connects to messaging platforms through a single gateway process. Store the platform tokens in Clavitor instead of in Hermes config files. Render the gateway config at startup:

{
  "telegram": { "token": "clavitor://Hermes Gateway/telegram_bot_token" },
  "discord":  { "token": "clavitor://Hermes Gateway/discord_bot_token" },
  "slack":    { "token": "clavitor://Hermes Gateway/slack_bot_token" }
}
$ clavitor-cli render hermes-gateway.json | hermes-agent start --config -

The committed template carries clavitor:// references; the resolved JSON lives only in the pipe between render and hermes-agent. Secrets never touch disk.

Browser automation with the proxy

Hermes can drive a real browser — navigate, click, type, screenshot. When a workflow signs into an external API, point Hermes at the Clavitor proxy and write the credential as a reference in the request header. The agent and the browser never see the secret:

$ export HTTPS_PROXY=http://localhost:1983
$ hermes-agent task "post a status update to our CMS"
# Hermes's HTTP calls go through the proxy.
# The CMS auth header is set to clavitor://Client CMS/api_key;
# the proxy resolves it on the wire.

Hermes Memory + Clavitor Memory

Hermes has its own curated long-term memory. Use Clavitor's encrypted Memory entries for anything Hermes shouldn't keep in its own store — recovery procedures, customer-specific runbooks, anything that should survive a fresh Hermes install:

# From any Hermes skill
$ clavitor-cli memory put --title "Deploy runbook" \
    --content "$(cat deploy-runbook.md)"

# Later — recall by semantic similarity, not keyword
$ clavitor-cli memory search "how do we roll back the API gateway?"

Clavitor Memory is end-to-end encrypted, syncs across devices, and the vault searches by vector without ever decrypting the text. Hermes adds the embedding when it writes; Hermes sends an embedding when it queries.

Chaque accès est enregistré

The audit log records which agent accessed which credential, when, and from where. Hermes activity is distinguishable from human activity on every line.

# TIME                 ACTION  ENTRY                  ACTOR
2026-03-08 10:23:14  read    openrouter             cli:hermes
2026-03-08 10:23:15  read    telegram-bot           cli:hermes
2026-03-08 11:45:02  read    aws-production         cli:deploy-agent
2026-03-08 14:12:33  render  -                      cli:hermes

Démarrer

Commencer gratuitementVoir les offres