Run tenant agents like infrastructure, not side projects.
Hermes Hub gives external products a stable REST and A2A edge for hosted Hermes Agent runtimes, while each tenant keeps isolated memory, secrets, browser state, sessions, cron data, and subprocess home.
Tenant runtime console
Public edge to private Hermes API
Inbound
/a2a/acme-support
Validate key, resolve peer, wake tenant.
Private run
POST /v1/runs
Stream events, stop, inspect, hibernate.
State boundary
$HERMES_HOME per tenant
Memory, secrets, sessions, cron, browser auth.
Resolved environment
release
/opt/hermes-agent/current
socket
/run/hermes/acme-support.sock
tenant home
/var/lib/hermes-hub/tenants/acme-support/.hermes
gateway
ready tenants only
A2A 0.3
Tenant agent cards and edge requests
Cold idle
Wake agents only when work arrives
One release
Shared runtime artifacts, isolated tenant state
REST
Tenants, lifecycle, cron, releases, and artifacts
The hard part is not launching one agent. It is hosting hundreds without mixing their state.
Agent protocols are becoming real production plumbing. The missing layer is the operator surface that turns private Hermes Agent runtimes into safe, tenant-scoped services.
Protocol pressure
Products need A2A-facing agents that can be discovered and called by other systems, without exposing private runtime APIs to the public internet.
Tenant boundaries
Profiles are not enough. Production isolation needs tenant-owned homes, secrets, browser profiles, memories, sessions, cron files, and Linux execution boundaries.
Runtime sprawl
Copying virtualenvs, browser binaries, skills, plugins, and Node dependencies into every tenant home turns hosting into drift management.
Hermes Hub is the control plane between your product and Hermes Agent.
External clients use REST to create tenants, manage lifecycle, inspect runtime state, schedule work, fetch A2A cards, and render host artifacts.
A2A stays at the edge. Hub validates tenant credentials and peer introductions, wakes the right runtime, then translates work into Hermes Agent's richer private API.
Heavy runtime artifacts live once per release. Mutable tenant state stays under that tenant's own HERMES_HOME, including memories, sessions, cron data, secrets, browser auth, and subprocess HOME.
A production path for hosted agents
01
Create the tenant
Provision tenant metadata, public A2A shape, auth claim mapping, browser preference, quotas, and desired runtime settings through REST.
02
Resolve the runtime
Use a central Hermes Agent release for shared binaries and dependencies, while rendering tenant-local environment and systemd artifacts.
03
Wake on demand
Start hibernated agents for A2A requests, chat transport, or due cron jobs, then return them to cold-idle when work is done.
What the hub owns
Tenant API
Create, inspect, update, disable, delete, reconcile, and route tenants from one stable OpenAPI contract.
A2A edge
Serve tenant agent cards, issue credentials, register remote peers, and keep A2A out of the private hub-to-agent protocol.
Cold activation
Render deterministic systemd socket and service units so agents can appear available while staying idle when there is no work.
Central releases
Stage, activate, pin, roll back, and inspect Hermes Agent releases without duplicating heavyweight artifacts per tenant.
Secret posture
Keep hub-owned Codex auth central, tenant env keys scoped, and secret material out of logs, test output, and marketing claims.
Cron continuity
Preserve native Hermes cron behavior while Hub owns wake policy, lifecycle, and transport callbacks.
REST outside. A2A at the boundary. Hermes API inside.
The public interface stays stable for products and peers. The private execution path keeps Hermes-specific controls available to operators.
External products
Call REST for management and A2A for agent-to-agent traffic.
Hermes Hub
Owns tenants, credentials, releases, systemd artifacts, gateway config, scheduling, and wake decisions.
Tenant Hermes Agent
Executes work through private runtime APIs with tenant-local state and shared central artifacts.
Questions operators ask first
Is Hermes Hub an agent framework?
No. Hermes Agent owns execution. Hermes Hub owns hosted runtime orchestration, isolation, lifecycle, and public protocol surfaces.
Why keep A2A only at the edge?
The public protocol is useful for interoperability, but the private Hermes Agent API exposes richer runtime controls such as runs, events, stop, sessions, and cron behavior.
What is the core buyer message?
If your product needs hosted, tenant-scoped agents, Hermes Hub gives you the operating layer before the agent fleet becomes a pile of custom scripts.
Bring hosted Hermes agents into your product.
Use Hermes Hub when you need tenant creation, A2A edge access, isolated runtime state, cron wakeups, release promotion, and host artifacts from one operator API.