Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix [Bug] delegation.provider=nous uses expired agent_key without refresh in _resolve_explicit_runtime [1 pull requests]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

When delegation.provider: nous is configured, sub-agents (delegate_task) fail with HTTP 401 even when the parent agent is authenticated and Nous Portal tokens are valid.

Error Message

Error code: 401 - {"status": 401, "message": "Your API key is invalid..."}

Root Cause

In hermes_cli/runtime_provider.py, the _resolve_explicit_runtime() function handles the provider == "nous" case at lines 1112-1140. It reads agent_key from auth_mod.get_provider_auth_state("nous") but does NOT check whether the key has expired:

if provider == "nous":
    state = auth_mod.get_provider_auth_state("nous") or {}
    ...
    api_key = str(state.get("agent_key") or "").strip()  # ← no expiry check!
    if not api_key:                                       # ← only refreshes when key is absent
        creds = resolve_nous_runtime_credentials(...)
    return {...}  # ← returns expired key

The main agent credential resolution path (lines 1300-1340) correctly checks expiry via _agent_key_is_usable() and falls through to resolve_nous_runtime_credentials() when expired. But the delegation path bypasses this.

Fix Action

Fixed

Code Example

if provider == "nous":
    state = auth_mod.get_provider_auth_state("nous") or {}
    ...
    api_key = str(state.get("agent_key") or "").strip()  # ← no expiry check!
    if not api_key:                                       # ← only refreshes when key is absent
        creds = resolve_nous_runtime_credentials(...)
    return {...}  # ← returns expired key

---

Error code: 401 - {"status": 401, "message": "Your API key is invalid..."}

---

if provider == "nous":
    state = auth_mod.get_provider_auth_state("nous") or {}
    ...
    api_key = str(state.get("agent_key") or "").strip()
    expires_at = state.get("agent_key_expires_at") or state.get("expires_at")
    
    # Check if agent_key is expired/expiring — same logic as credential pool path
    min_ttl = max(60, int(os.getenv("HERMES_NOUS_MIN_KEY_TTL_SECONDS", "1800")))
    if api_key and not _agent_key_is_usable(state, min_ttl):
        api_key = ""  # force refresh
    
    if not api_key:
        creds = resolve_nous_runtime_credentials(...)
    ...
RAW_BUFFERClick to expand / collapse

Description

When delegation.provider: nous is configured, sub-agents (delegate_task) fail with HTTP 401 even when the parent agent is authenticated and Nous Portal tokens are valid.

Root Cause

In hermes_cli/runtime_provider.py, the _resolve_explicit_runtime() function handles the provider == "nous" case at lines 1112-1140. It reads agent_key from auth_mod.get_provider_auth_state("nous") but does NOT check whether the key has expired:

if provider == "nous":
    state = auth_mod.get_provider_auth_state("nous") or {}
    ...
    api_key = str(state.get("agent_key") or "").strip()  # ← no expiry check!
    if not api_key:                                       # ← only refreshes when key is absent
        creds = resolve_nous_runtime_credentials(...)
    return {...}  # ← returns expired key

The main agent credential resolution path (lines 1300-1340) correctly checks expiry via _agent_key_is_usable() and falls through to resolve_nous_runtime_credentials() when expired. But the delegation path bypasses this.

Reproduction

  1. Authenticate with Nous Portal: hermes auth add nous --type oauth
  2. Set delegation.provider: nous and delegation.model: deepseek/deepseek-v4-flash:free in config.yaml
  3. Wait 15+ minutes for agent_key to expire (or wait for the key lifetime)
  4. Call delegate_task — sub-agents fail with: 
    Error code: 401 - {"status": 401, "message": "Your API key is invalid..."}
  5. Direct API call with the same token works (HTTP 200) — confirming the key is only broken in the delegation path

Suggested Fix

Add expiry check similar to the credential pool path (lines 1318-1327):

if provider == "nous":
    state = auth_mod.get_provider_auth_state("nous") or {}
    ...
    api_key = str(state.get("agent_key") or "").strip()
    expires_at = state.get("agent_key_expires_at") or state.get("expires_at")
    
    # Check if agent_key is expired/expiring — same logic as credential pool path
    min_ttl = max(60, int(os.getenv("HERMES_NOUS_MIN_KEY_TTL_SECONDS", "1800")))
    if api_key and not _agent_key_is_usable(state, min_ttl):
        api_key = ""  # force refresh
    
    if not api_key:
        creds = resolve_nous_runtime_credentials(...)
    ...

Environment

  • Hermes Agent v0.14.0 (2026.5.16)
  • Linux, Python 3.11.15
  • Nous Portal OAuth with inference:invoke inference:mint_agent_key scope

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING