Where is the Hermes Agent web UI?

The Hermes Agent gateway serves it on the same port as the gateway itself — by default http://localhost:8642/ui. Check the gateway section of your Hermes config if you changed the port.

How do I access Hermes web UI from my phone?

Put the gateway behind a reverse proxy with HTTPS (Caddy, Nginx, Traefik), or use a tunnel like Cloudflare Tunnel or Tailscale. For pair-based auth, set gateway.controlUi.allowInsecureAuth: true and pair from your Telegram bot. Or skip the setup and use OpenClaw Launch’s hosted version.

Is the Hermes web UI safe to expose publicly?

Only behind HTTPS and with a strong gateway.auth.token or per-device pairing. The UI has full control over the agent — someone with the token can run shell commands, change skills, and read memory. Never expose it on a public IP without TLS.

Does OpenClaw Launch provide the Hermes web UI?

Yes. OpenClaw Launch hosts a full Hermes gateway including the web UI on a real HTTPS domain, with pairing, approvals, and skills pre-wired. No reverse proxy or tunnel setup required.

← All Guides

Hermes Guide

Hermes Agent Web UI

The Hermes Agent web UI is the browser dashboard that ships with the Hermes Agent gateway — a chat pane, a skills manager, a connection status panel, and an approvals queue for sensitive actions. This guide covers what's inside it, how to reach it, how to secure it, and when to skip self-hosting and use the OpenClaw Launch hosted gateway instead.

What's in the Web UI

The Hermes Agent web UI is served by the agent gateway. It gives you:

Chat panel — send and receive messages, inspect tool calls, see streamed responses
Connection status — which channels (Telegram, Discord, WhatsApp) are currently paired and online
Skills / plugins — install, enable, disable, and configure skills without editing files
Approvals queue — approve or reject shell commands, file edits, or network actions the agent wants to run
Memory browser — view and edit what the agent remembers about you
Logs — recent model calls, errors, and tool invocations

How to Open It (Self-Hosted)

If you run Hermes Agent yourself (docker, docker-compose, or bare metal), the web UI is usually served on the same port as the gateway. By default that's http://localhost:8642/ui. Check the gateway section of your Hermes config file for the real port if you changed it.

First visit asks you to authenticate. Depending on your gateway.controlUisettings you'll see either a pairing code screen (Telegram bot sends the code) or a token prompt.

Reaching It From Outside Your Machine

http://localhost:8642 only works if you're sitting at the server. Three common ways to reach it remotely:

Reverse proxy + HTTPS — Caddy, Nginx, or Traefik terminate TLS and forward to the gateway. Pair with a real domain and a cert.
Tunnel — Cloudflare Tunnel, Tailscale, or ngrok punch a hole without opening inbound ports.
Device pairing — set gateway.controlUi.allowInsecureAuth: true and pair from Telegram, then the UI uses token auth over the existing TLS tunnel.

The usual mistake is exposing the UI on a public IP without TLS. Don't: the dashboard has everything the agent can do.

Securing the UI

The UI enforces whatever auth is declared in the Hermes config. Two things to get right:

Keep gateway.auth.token private. It's the master key to your agent — anyone with the token can chat, approve actions, change skills. Treat it like an SSH key.
Prefer pairing over shared tokens. If you expose the UI beyond yourself, pairing via Telegram/Discord gives each device a per-session token. Much easier to revoke.

Common Things People Do In It

Chat with the agent in a first-class UI instead of Telegram — nice when you want inline tool-call visibility.
Approve a shell command or file edit the agent wants to run (if approvals.mode is set to require them).
Turn a skill on or off without restarting the container.
Pair a new Telegram/WhatsApp session after a token change.
Watch the logs tab while a long task runs.

Web UI vs Chat Channels

The web UI is one of several ways to talk to the agent — it's not a replacement for Telegram/Discord/WhatsApp, it's complementary:

Use the web UI when you want full visibility: tool calls, logs, approvals, memory.
Use a chat channel when you're on the go or want the agent to talk to other people, not just you.

Skip Self-Hosting: OpenClaw Launch

Everything above assumes you're running the Hermes Agent gateway yourself. OpenClaw Launch hosts a full gateway (OpenClaw + Hermes options, both) for you, including the web UI, on a real HTTPS domain, with warm-pool deployment, Telegram pairing, and approvals all pre-wired.

If you're reading this because you tried to make the Hermes UI reachable from your phone and hit a wall — pick Hermes hosting on OpenClaw Launch. You get the same UI, same skills, same approvals flow, without the reverse-proxy homework.

Troubleshooting

UI loads but shows “Unauthorized”

Token mismatch. Double-check gateway.auth.token in your config and the token the UI is sending. After changing the token you need to restart the gateway (it's one of the config fields that doesn't hot-reload).

Chat panel says “gateway offline”

The gateway process crashed or never started. Check docker ps or your process manager, then docker logs hermes for the real error. Common culprits: invalid model ID, missing provider API key, port 8642 already in use.

Channels tab shows “not paired” forever

The credentials directory (~/.hermes/credentials/) is missing or not mounted into the container. Create it before starting the gateway, and make sure your docker-compose volume mount writes there.

Next Steps

Deploy Hermes Agent — self-hosted install walkthrough
Hermes Agent docker-compose — one-file deployment recipe
Hermes Agent memory — how memory works and where it lives
Hermes hosting on OpenClaw Launch — skip the ops, keep the UI