woow-hermes-mcp-server
OfficialAllows control of a Hermes Agent instance, providing tools for inspecting agent capabilities, managing skills, MCP servers, models, configurations, toolsets, gateway, chat sessions, and more.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@woow-hermes-mcp-serverShow the current agent status and capabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Overview
Woow Hermes MCP Server is a full-stack admin wrapper that lets any MCP client (Claude Desktop, Claude Code, n8n, etc.) fully control a Hermes AI Agent instance through 9 FastMCP tools. It pairs a Python backend (FastAPI + FastMCP) with a React 19 Web Admin GUI, connecting to the Hermes Agent via two independent APIs -- the Gateway API for chat and sessions, and the Dashboard REST API for configuration and management.
Why This Package?
Challenge | Solution |
Hermes Agent has two separate APIs with different auth methods | Unified dual-connection wrapper -- Gateway (Bearer) + Dashboard (Cookie) behind a single interface |
MCP clients cannot natively manage Hermes configuration | 9 FastMCP tools expose inspect, skill, model, config, toolset, gateway, chat, session, and MCP server management |
No web-based admin GUI for Hermes Agent operations | 15-page React SPA with dark theme, responsive sidebar, and real-time log streaming |
Credentials are exposed when connecting AI to admin APIs | Dual auth credentials stay server-side -- MCP clients authenticate via a single URL-path token |
Configuration changes risk breaking critical settings | Deny-list blocks dangerous config keys, stdio MCP transports, and env variable readback |
Deploying Hermes management to Kubernetes is complex | Single-container deployment with multi-stage Docker build, K8s manifests, and Cloudflare Tunnel support |
Related MCP server: hermes-mcp-server
Features
MCP Server (9 Tools)
hermes_inspect -- Full snapshot of Gateway capabilities, Dashboard config, and model info
hermes_session -- List, get, or delete Hermes chat sessions via Gateway API
hermes_skill -- List, enable, or disable Hermes Agent skills via Dashboard API
hermes_mcp -- Manage Hermes MCP server connections (list, add, remove) with stdio blocking
hermes_model -- Switch AI model, provider, or list available providers
hermes_config -- Read or update Dashboard configuration keys with deny-list enforcement
hermes_tools -- Enable or disable Hermes Agent toolsets
hermes_gateway -- Check Gateway status or trigger restart
hermes_chat -- Send chat messages to Hermes and receive AI responses
Web Admin GUI (15 Pages)
Dashboard -- Dual connection health status with summary cards for model, tools, skills, sessions
Connection Config -- Configure Gateway API + Dashboard API credentials with connectivity testing
Tool Manager -- Enable/disable 9 MCP wrapper tools with category grouping (Read/Write/Agent)
Hermes Toolsets -- Manage the Hermes Agent's own internal toolsets
Model Manager -- View and switch AI model/provider configuration
Skill Manager -- Browse, enable, and disable Hermes skills with Hub install support
MCP Server Manager -- Manage MCP server connections registered inside the Hermes Agent
Config Editor -- Full JSON config editor with deny-list protection for sensitive keys
Gateway Control -- Gateway status monitoring, restart, and drain-restart controls
Session Manager -- View, inspect, and bulk-delete chat sessions
Token Manager -- Generate, rotate, and set MCP proxy authentication tokens
Log Viewer -- Real-time SSE log streaming with regex search over a 5000-line ring buffer
Deny List -- Read-only view of blocked config keys, MCP operations, and env operations
Settings -- Full config.json management with per-section editing and MCP process controls
Login Page -- JWT-based authentication with configurable admin password
Infrastructure
Multi-stage Docker Build -- Node 20 Alpine (frontend) + Python 3.12-slim (backend) in a single container
Kubernetes Ready -- RBAC ServiceAccount, Deployment, ClusterIP Service on port 9003
Cloudflare Tunnel -- Production endpoint at
hermes-mcp-admin.woowtech.ioFile-based Config -- Portable
/data/config.jsonstore works across Docker, Podman, K3s, and bare-metalMCP Subprocess Manager -- Automatic start, stop, restart, and log draining for the MCP server process
Architecture
┌─────────────────────────────────────────────────────────────────────────┐
│ Woow Hermes MCP Server │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ MCP Client (Claude Desktop / Claude Code / n8n) │
│ │ │
│ │ Streamable HTTP: /private_{token}/sse │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ hermes_mcp_admin (FastAPI :9003) │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌────────┐ ┌──────┐ ┌────────────┐ │ │
│ │ │ config │ │ tools │ │ tokens │ │ logs │ │ dashboard │ │ │
│ │ │ router │ │ router │ │ router │ │router│ │ proxy │ │ │
│ │ └──────────┘ └──────────┘ └────────┘ └──────┘ └────────────┘ │ │
│ │ │ │ │ │ │ │ │
│ │ ┌────▼─────────────▼────────────▼─────────▼──────────▼──────┐ │ │
│ │ │ mcp_admin_core │ │ │
│ │ │ ConfigStore │ AuthMiddleware │ ProcessMgr │ MCP Proxy │ │ │
│ │ └──────────────────────────┬────────────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌──────────────────────────▼────────────────────────────────┐ │ │
│ │ │ hermes_mcp_server (FastMCP) │ │ │
│ │ │ 9 Tools: inspect│session│skill│mcp│model│config│tools│ │ │ │
│ │ │ gateway│chat │ │ │
│ │ └──────────────────────────┬────────────────────────────────┘ │ │
│ └─────────────────────────────┼────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────┴──────────────────┐ │
│ ▼ ▼ │
│ ┌────────────────────────┐ ┌────────────────────────────┐ │
│ │ [A] Gateway API :8642 │ │ [B] Dashboard REST API :9119│ │
│ │ Bearer auth │ │ Cookie auth (v0.17.0) │ │
│ │ │ │ │ │
│ │ • /v1/capabilities │ │ • /api/config │ │
│ │ • /v1/responses │ │ • /api/skills │ │
│ │ • /api/sessions/* │ │ • /api/model/* │ │
│ │ • /health │ │ • /api/tools/* │ │
│ └────────────────────────┘ │ • /api/status │ │
│ │ • /auth/password-login │ │
│ └────────────────────────────┘ │
│ │
│ ┌────────────────────────────┐ │
│ │ Hermes Agent v0.17.0 │ │
│ └────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘System Flow (Mermaid)
graph TB
subgraph MCP_Clients["MCP Clients"]
CD["Claude Desktop"]
CC["Claude Code"]
N8N["n8n"]
end
subgraph Admin["Hermes MCP Admin :9003"]
PROXY["MCP Reverse Proxy"]
API["FastAPI REST API"]
SPA["React 19 SPA — 15 Pages"]
MCP_SERVER["FastMCP Server — 9 Tools"]
CORE["mcp_admin_core"]
end
subgraph Agent["Hermes Agent v0.17.0"]
GW["Gateway API :8642 — Bearer Auth"]
DB["Dashboard API :9119 — Cookie Auth"]
end
CONFIG[("config.json")]
CD -->|"Streamable HTTP"| PROXY
CC -->|"Streamable HTTP"| PROXY
N8N -->|"Streamable HTTP"| PROXY
PROXY --> MCP_SERVER
MCP_SERVER --> CORE
SPA -->|"REST"| API
API --> CORE
MCP_SERVER -->|"httpx"| GW
MCP_SERVER -->|"httpx"| DB
API -->|"Dashboard Proxy"| DB
API -->|"Gateway Proxy"| GW
CORE -->|"File Store"| CONFIGModule Structure
The project is organized into three Python packages, each with a distinct responsibility:
mcp_admin_core -- Shared Foundation
Core library providing config store, auth middleware, process manager, and MCP reverse proxy. Designed for reuse across different MCP admin projects.
Module | Description |
| File-backed JSON config store with async API, caching, and auto-migration |
| JWT authentication middleware + login router for |
| MCP subprocess manager with start/stop/restart and log draining |
| Reverse proxy routing |
| Full config.json CRUD, admin password management, MCP process controls |
| Utility to run any MCP stdio server as an SSE HTTP server |
| Kubernetes API client for in-cluster operations |
hermes_mcp_admin -- Admin API + Web GUI
FastAPI application with 5 domain routers and a Dashboard proxy layer. Serves the React SPA and exposes REST endpoints for the admin GUI.
Module | Description |
| Application entry point, router registration via |
| Tool registry defining 9 tools in 3 categories (Read/Write/Agent) |
| Dual connection config (Gateway + Dashboard) with connectivity testing |
| MCP tool enable/disable with per-tool operation granularity |
| Token generation, rotation, and history with auto-restart on change |
| Dual health checks + summary data (model, tools, skills, sessions) |
| SSE log streaming + regex search over a 5000-line ring buffer |
| Proxy layer for skills, model, MCP servers, toolsets, sessions, gateway, config editor, and deny list |
hermes_mcp_server -- FastMCP Tools
Pure MCP server package containing 9 tools that bridge the Hermes Gateway and Dashboard APIs. Runs as a subprocess managed by
mcp_admin_core.
Module | Description |
| FastMCP server with 9 |
Screenshots
Login Page
JWT-based authentication with configurable admin password.
Dashboard
Dual connection health monitoring with summary cards for model, tools, skills, sessions, and MCP servers.
Connection Config
Configure Hermes Gateway API and Dashboard API credentials with one-click connectivity testing.
Tool Manager
Enable or disable 9 MCP tools organized by category (Read, Write, Agent) with per-tool operation control.
Token Manager
Generate, rotate, and manage MCP proxy authentication tokens with rotation history.
Model Manager
View and switch AI model and provider configuration for the Hermes Agent.
Skill Manager
Browse, enable, and disable Hermes Agent skills with Hub install support.
MCP Server Manager
Manage MCP server connections registered inside the Hermes Agent.
Hermes Toolsets
View and toggle the Hermes Agent's built-in toolsets.
Config Editor
Full JSON config editor with deny-list protection for sensitive keys.
Gateway Control
Gateway status monitoring with restart and drain-restart controls.
Session Manager
View, inspect, and bulk-delete Hermes chat sessions.
Log Viewer
Real-time SSE log streaming with regex search and a 5000-line in-memory ring buffer.
Deny List
Read-only view of blocked config keys, MCP operations, and environment variable operations.
Settings
Full config.json management with per-section editing, admin password change, and MCP process controls.
Mobile Responsive
Fully responsive dark-theme layout with collapsible sidebar for mobile devices.
Installation
Prerequisites
Docker or Podman (for containerized deployment)
Hermes Agent v0.17.0 running with Gateway API (:8642) and Dashboard API (:9119) accessible
Python 3.12+ (for development only)
Node 20+ (for frontend development only)
Option 1: Docker Compose (Recommended)
# Clone the repository
git clone https://github.com/WOOWTECH/woow_hermes_mcp_server.git
cd woow_hermes_mcp_server
# Configure credentials
cp .env.example .env
# Edit .env with your Hermes Gateway and Dashboard credentials
# Start the service
docker compose up -d
# Access
# Admin GUI: http://localhost:9003
# MCP endpoint: http://localhost:9003/private_{token}/sseOption 2: Kubernetes (K3s/K8s)
# Create the namespace secret with Hermes credentials
kubectl create secret generic hermes-mcp-secrets \
--namespace=kasim-odoo \
--from-literal=gateway-url=http://hermes-agent-svc:8642 \
--from-literal=gateway-api-key=YOUR_API_KEY \
--from-literal=dashboard-url=http://hermes-agent-svc:9119 \
--from-literal=dashboard-username=admin \
--from-literal=dashboard-password=YOUR_PASSWORD
# Deploy
kubectl apply -f k8s-deploy.yaml
# Verify
kubectl get pods -n kasim-odoo -l app=hermes-mcp-admin
kubectl logs -n kasim-odoo -l app=hermes-mcp-admin -fThe K8s deployment includes:
ServiceAccount with RBAC for secrets, configmaps, pods, and deployments
Deployment with readiness and liveness probes on
/healthzClusterIP Service on port 9003
Resource limits: 100m-500m CPU, 128Mi-512Mi memory
Option 3: Development Setup
# Clone and install Python dependencies
git clone https://github.com/WOOWTECH/woow_hermes_mcp_server.git
cd woow_hermes_mcp_server
pip install -e ".[dev]"
# Build and serve frontend
cd frontend
npm install
npm run build
cd ..
# Copy build output for SPA serving
cp -r frontend/dist static
# Configure environment
export HERMES_GATEWAY_URL=http://localhost:8642
export HERMES_GATEWAY_API_KEY=your-api-key
export HERMES_DASHBOARD_URL=http://localhost:9119
export HERMES_DASHBOARD_USERNAME=admin
export HERMES_DASHBOARD_PASSWORD=your-password
# Start the server
uvicorn hermes_mcp_admin.main:app --host 0.0.0.0 --port 9003 --reloadConfiguration
Environment Variables
Variable | Description | Default |
| Hermes Gateway API base URL |
|
| Gateway Bearer authentication key | (empty) |
| Hermes Dashboard REST API base URL |
|
| Dashboard login username |
|
| Dashboard login password | (empty) |
| Admin GUI login password |
|
| Secret key for JWT token signing | (auto-generated) |
| JWT token expiry duration in hours |
|
| Path to the JSON config file |
|
| Token for MCP proxy URL-path authentication | (empty) |
Config File Structure
The application stores all persistent configuration in a single JSON file (/data/config.json):
{
"admin_password": "your-admin-password",
"mcp_auth_token": "hex-token-for-mcp-proxy",
"connection": {
"gateway_url": "http://hermes:8642",
"gateway_api_key": "...",
"dashboard_url": "http://hermes:9119",
"dashboard_username": "admin",
"dashboard_password": "..."
},
"tools": {
"disabled": [],
"disabled_operations": {}
},
"mcp_server": {
"command": "python",
"args": ["-m", "hermes_mcp_server.server"],
"port": 8000,
"env": {}
},
"proxy": {
"timeout": 86400
},
"token_history": []
}Deny List
The following operations are blocked for security:
Category | Blocked Items | Reason |
Config Keys |
| Prevent remote code execution and network exposure |
MCP Operations |
| Block stdio/command-based MCP transports |
Env Operations |
| Prevent credential readback |
API Reference
Authentication
Endpoint | Method | Description |
| POST | Authenticate with admin password, returns JWT |
| GET | Health check (no auth required) |
Connection Config
Endpoint | Method | Description |
| GET | Current dual connection settings (secrets masked) |
| PUT | Update Gateway + Dashboard connection settings |
| POST | Test Gateway API connectivity via |
| POST | Test Dashboard API connectivity via cookie login |
Tool Management
Endpoint | Method | Description |
| GET | List all 9 MCP tools with categories and enabled status |
| PUT | Update disabled tools list, restart MCP server |
| PUT | Update per-tool disabled operations, restart MCP server |
Token Management
Endpoint | Method | Description |
| GET | Current proxy token (masked) + rotation history |
| POST | Generate a random hex token (preview, not applied) |
| POST | Generate, apply, and restart MCP server |
| PUT | Set a specific token value and restart MCP server |
Health & Monitoring
Endpoint | Method | Description |
| GET | Dual health check + summary data (model, tools, skills, sessions) |
| GET | SSE endpoint streaming MCP server logs in real time |
| GET | Search the in-memory log buffer (plain text or regex) |
Dashboard Proxy
Endpoint | Method | Description |
| GET | List Hermes Agent skills |
| PUT | Update skill configuration |
| GET | Current model and provider configuration |
| GET | Available providers and models |
| POST | Switch AI model |
| GET | List MCP servers registered in Hermes |
| POST | Add an MCP server |
| PUT/DELETE | Update or remove an MCP server |
| GET | List Hermes Agent toolsets |
| PUT | Update toolset configuration |
| GET | List chat sessions |
| DELETE | Delete a session |
| POST | Bulk delete sessions |
| GET | Gateway running status |
| POST | Restart Gateway |
| POST | Drain active connections then restart |
| GET | Full config for JSON editor (with denied keys list) |
| PUT | Update full config |
| GET | Read-only deny list |
Settings
Endpoint | Method | Description |
| GET | Full config (passwords masked) |
| PUT | Replace full config |
| GET/PUT | Get or replace a config section |
| GET | MCP server process status |
| POST | Restart MCP server process |
| POST | Rotate MCP auth token |
MCP Proxy
Endpoint | Method | Description |
| GET | MCP SSE connection endpoint |
| ALL | Reverse proxy to MCP server subprocess |
MCP Tools
The FastMCP server exposes 9 tools organized into 3 categories:
Read (2 tools)
Read-only inspection and query tools that do not modify any state.
Tool | API | Description |
| [A]+[B] | Inspect Gateway capabilities ( |
| [A] | List ( |
Write (6 tools)
Mutating operations that modify Hermes Agent configuration. All write tools support dry_run mode.
Tool | API | Actions | Description |
| [B] | list, enable, disable | Manage Hermes Agent skills via |
| [B] | list, add, remove | Manage MCP server connections via |
| [B] | info, set, list | Switch model or provider via |
| [B] | get, set | Read or write Dashboard config keys via |
| [B] | list, enable, disable | Toggle Hermes toolsets via |
| [B] | status, restart | Check Gateway status or trigger restart via |
Agent (1 tool)
Interactive conversational tool.
Tool | API | Description |
| [A] | Send a chat message via |
Legend: [A] = Gateway API (:8642, Bearer auth) | [B] = Dashboard API (:9119, Cookie auth)
Tool Categories Explained
┌─────────────────────────────────────────────────────────────┐
│ 9 MCP Tools │
├──────────────┬──────────────────────┬────────────────────────┤
│ Read (2) │ Write (6) │ Agent (1) │
│ │ │ │
│ hermes_ │ hermes_skill │ hermes_chat │
│ inspect │ hermes_mcp │ │
│ hermes_ │ hermes_model │ │
│ session │ hermes_config │ │
│ │ hermes_tools │ │
│ │ hermes_gateway │ │
│ │ │ │
│ Safe, no │ Mutating, deny-list │ Conversational, │
│ side effects │ + dry_run support │ session-aware │
└──────────────┴──────────────────────┴────────────────────────┘Security
Authentication Layers
┌─────────────────────────────────────────────────────────────┐
│ Security Architecture │
│ │
│ Layer 1: MCP Proxy Auth │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ URL-path token: /private_{TOKEN}/sse │ │
│ │ Token stored in /data/config.json (never in env) │ │
│ │ Rotatable via API or GUI │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
│ Layer 2: Admin GUI Auth │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ JWT (HS256) via POST /api/auth/login │ │
│ │ HttpOnly + SameSite=Strict cookie │ │
│ │ Configurable expiry (default 24h) │ │
│ │ Bearer header, cookie, or query param fallback (SSE) │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
│ Layer 3: Hermes Dual Auth (server-side only) │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Gateway: Bearer API_SERVER_KEY → never exposed │ │
│ │ Dashboard: Cookie hermes_session_at → never exposed │ │
│ │ Credentials cached server-side (10 min cookie TTL) │ │
│ └────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘Security Features
Deny List -- Blocks writes to dangerous config keys (
terminal.backend,api_server.cors_origins,api_server.host)Stdio Transport Blocking -- MCP server
addaction rejectsstdio:andcommand:URLs to prevent shell injectionEnvironment Isolation -- Hermes API credentials stay server-side, never sent to MCP clients
Constant-Time Password Comparison --
secrets.compare_digestprevents timing attacks on loginToken Masking -- All API responses mask sensitive values (passwords, API keys, tokens)
Write-Only Env Keys -- Environment variable readback is denied to prevent credential exfiltration
Dry Run Mode -- All write tools support
dry_run=truefor safe previewing of changesRBAC (K8s) -- ServiceAccount with minimal permissions scoped to namespace (secrets, configmaps, pods, deployments)
Liveness & Readiness Probes -- K8s health checks on
/healthzwith configurable intervals
Contributing
Development Setup
# Install in development mode
pip install -e ".[dev]"
# Run tests
pytest
# Frontend development (hot reload)
cd frontend
npm install
npm run devProject Structure
woow_hermes_mcp_server/
├── mcp_admin_core/ # Shared foundation package
│ ├── auth/ # JWT middleware + login
│ ├── config/ # File-backed config store
│ ├── k8s/ # Kubernetes client
│ ├── routers/ # Settings router
│ ├── app.py # FastAPI application factory
│ ├── process.py # MCP subprocess manager
│ ├── proxy.py # MCP reverse proxy
│ └── mcp_sse_wrapper.py # SSE transport wrapper
├── hermes_mcp_admin/ # Admin API + Web GUI
│ ├── routers/ # 5 domain routers + dashboard proxy
│ ├── main.py # App entry point
│ └── tool_registry.py # 9-tool registry (3 categories)
├── hermes_mcp_server/ # FastMCP server
│ └── server.py # 9 MCP tools
├── frontend/ # React 19 + Vite + Tailwind CSS 4
│ └── src/
│ ├── pages/ # 15 page components
│ └── components/ # Sidebar, StatusCard
├── docs/screenshots/ # 16 screenshots
├── Dockerfile # Multi-stage Node 20 + Python 3.12
├── docker-compose.yml # Docker Compose config
├── k8s-deploy.yaml # K8s manifests (RBAC + Deploy + Service)
├── deny-list.yaml # Security deny-list
├── pyproject.toml # Python project config
└── .env.example # Environment variable templateCoding Conventions
Python: type hints on all function signatures, async/await for I/O
Pydantic models for all request/response schemas
Each router is a self-contained module with its own Pydantic models
Frontend: functional React components with hooks, Tailwind CSS utility classes
License
This project is licensed under the MIT License.
See LICENSE for details.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/WOOWTECH/woow_hermes_mcp_server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server