Hermes
Give a Hermes (Nous Research) agent a real, routable, verifiable Whisper network identity — and, with a key, source-bind its host egress to a Whisper /128.
Status: Staged — install from source, registry publish pending. Built and proven end-to-end locally; there is no one-command registry install yet. The real add-step below works today. The MCP recipe is proven end-to-end on self-hosted Hermes (2 keyless / 8 keyed tools, /128 egress, a real agent loop routing a call to whisper_verify); the native Python plugin is fixed and pending a packaged publish.
Add it
Hermes speaks MCP natively. Add this block under mcp_servers in ~/.hermes/config.yaml and restart — Hermes auto-registers each tool as mcp_whisper_<tool>:
mcp_servers:
whisper:
command: whisper
args: ["mcp"]
Prerequisite: the whisper CLI on your PATH — the adapter runs whisper mcp (the tool surface) and, for egress, whisper connect:
curl -fsSL https://get.whisper.online | sh
Two tiers, auth optional
Like every Whisper integration, the adapter is two-tier by design — liberal in what it asks of you (Postel's Law):
- No API key — the keyless tools work for everyone:
whisper_verify(is an address or hostname a real Whisper agent, and whose?) andwhisper_rdap(its RDAP registration). Real value, zero setup. - With your key (
WHISPER_API_KEYin the client's environment, or a savedwhisper login) — the full control plane unlocks (whisper_register,whisper_list,whisper_policy,whisper_logs,whisper_revoke,whisper_egress_config), and the session can egress from its routable/128.
Hermes does not forward your shell environment to MCP subprocesses, so export WHISPER_API_KEY=… alone stays at the two keyless tools. Unlock the keyed tier by running whisper login once, or by adding an env: block to the server in the recipe.
Verify without a key
# keyless — no account, no key
whisper verify 2a04:2a01:f3c6:4261:9887:4349:306a:52c8
# → verified Whisper agent (DANE-anchored)
# fqdn a98874349306a52c8.botboss.app
In an agent chat, the same check is one tool call — ask the model to run whisper_verify {target:"api.openai.com"} and it comes back with is_whisper_agent, dane_ok, and jws_ok.
Egress from your /128
Set your key in the client's launch environment, then let the agent mint its own identity and route through it:
export WHISPER_API_KEY=whisper_live_… # set in the CLIENT's launch env
# in chat: whisper_register {name:"scout"} → a routable /128 + DNS name
whisper ip # ✓ egress verified — source IP == the agent's /128
dig -x <that /128> # reverse-DNS → the agent's Whisper hostname
Verify it worked
Restart the client and ask it, in chat, to run whisper_verify against any address. A true/false is_whisper_agent verdict back means the whisper mcp server is wired in correctly, end to end. With a key present, whisper_list returns your agents.
Next: More frameworks · MCP server.