Expose HERMES_WEBUI_GATEWAY_API_KEY as a form field#49
Merged
Conversation
The WebUI talks to the Hermes gateway's OpenAI-compatible API server, which enforces bearer-token auth via API_SERVER_KEY. Without a matching HERMES_WEBUI_GATEWAY_API_KEY, the unauthenticated /health probe still passes (so the agent looks alive in /api/health/agent) but session listings, model catalogs, skills, and MCPs come back empty and chats fail to send — the WebUI looks half-broken in a way that's hard to attribute to auth. Surface the key as a password field in Runtipi config, plumb it through docker-compose.json, and document the gateway-vs-dashboard port distinction (8642 vs 9119) in description.md and the Gateway URL hint, since that was a separate source of confusion. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR improves the Hermes WebUI Runtipi app configuration to support authenticated connections to a Hermes gateway by surfacing the gateway bearer token as a configurable secret, and clarifies the gateway-vs-dashboard port distinction to reduce misconfiguration.
Changes:
- Add
HERMES_WEBUI_GATEWAY_API_KEYas a password form field and pass it into the container environment. - Clarify that the Gateway URL should use the gateway port (
8642) rather than the dashboard port (9119) in both config hints and app documentation. - Rename the UI login field label from “Password” to “WebUI Password” to distinguish it from the gateway API key.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| apps/hermes-webui/metadata/description.md | Documents the new Gateway API Key field and clarifies correct gateway port usage. |
| apps/hermes-webui/docker-compose.json | Plumbs HERMES_WEBUI_GATEWAY_API_KEY into the container environment. |
| apps/hermes-webui/config.json | Adds a new password form field for the gateway key, updates Gateway URL hint, and bumps tipi_version/updated_at. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | **Password** | Protects the UI with HTTP authentication. Required when connecting from Hermes Agent Mobile. | | ||
| | **Gateway URL** | URL of your already-running Hermes Agent gateway (e.g. `http://192.168.1.10:8642`). Use the **gateway** port (default `8642`), not the **dashboard** port (`9119`). Required. | | ||
| | **Gateway API Key** | Bearer token that matches the gateway's `API_SERVER_KEY` (typically set in `~/.hermes/.env` on the gateway host). Required if the gateway enforces auth — without it, sessions and model lists silently come back empty and chat messages fail. | | ||
| | **WebUI Password** | Protects this UI with HTTP authentication (separate from the gateway key). Required when connecting from Hermes Agent Mobile. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The WebUI talks to the Hermes gateway's OpenAI-compatible API server, which enforces bearer-token auth via API_SERVER_KEY. Without a matching HERMES_WEBUI_GATEWAY_API_KEY, the unauthenticated /health probe still passes (so the agent looks alive in /api/health/agent) but session listings, model catalogs, skills, and MCPs come back empty and chats fail to send — the WebUI looks half-broken in a way that's hard to attribute to auth.
Surface the key as a password field in Runtipi config, plumb it through docker-compose.json, and document the gateway-vs-dashboard port distinction (8642 vs 9119) in description.md and the Gateway URL hint, since that was a separate source of confusion.