hermes - 💡(How to fix) Fix [Bug]: Paid Scale-tier subscriber — tool_gateway_admin: false, every Tool Gateway call rejected with AUTH_ERROR [1 participants]

Bug Description

Paid Scale-tier ($50/mo) Nous Portal subscriber. Every Tool Gateway call (web_search → Firecrawl, image_generate → FAL, TTS → OpenAI, browser_navigate → Browser Use) returns AUTH_ERROR because the JWT claim tool_gateway_admin is false on my account, despite the Scale plan — and every paid tier including Basic, Plus, Scale, and Max — explicitly listing "Hosted tool usage" as an included feature on portal.nousresearch.com/manage-subscription.

In-browser Nous Chat at chat.nousresearch.com works correctly (messages send, models respond, tool usage presumably billed to the subscription). CLI/Hermes-Agent calls to *-gateway.nousresearch.com are rejected specifically on the tool_gateway_admin claim.

This appears to be a server-side provisioning gap specific to my account (or to a class of pre-April-16 subscribers). No client-side action — OAuth scope, client_id, use_gateway config, hermes setup, hermes model, fresh install, or first-use of Nous Chat — changes the claim.

Related: #13301 reports a different UX bug where hermes setup shows gateway tools as "not configured" even when they work at runtime. In that user's case, the underlying tools function via the gateway — confirming Tool Gateway can work for paid Scale-tier subscribers. Mine does not.

JWT payload on freshly-minted tokens (multiple OAuth client_id variants tested)

Baseline hermes-cli client:

{
  "iat": 1776928664,
  "exp": 1776929564,
  "sub": "cmnit8tqn000cl704ac8x2jn8",
  "aud": "hermes-cli:hermes-cli",
  "iss": "https://portal.nousresearch.com",
  "client_id": "hermes-cli",
  "scope": "inference:mint_agent_key",
  "subscription_tier": 3,
  "tool_gateway_admin": false,
  "token_use": "access",
  "product_id": "nous-hermes-agent",
  "nous_client": "hermes-agent"
}

Alternate nous-chat client (same account, freshly OAuthed via hermes auth add nous --type oauth --client-id nous-chat):

{
  "aud": "hermes-cli:nous-chat",
  "client_id": "nous-chat",
  "scope": "inference:mint_agent_key",
  "subscription_tier": 3,
  "tool_gateway_admin": false,     // same false
  "product_id": "nous-chat",
  "nous_client": "chat"
}

Both clients on the same account yield tool_gateway_admin: false, ruling out client-level gating.

Error response from firecrawl-gateway when calling with the token

{
  "error": {
    "code": "AUTH_ERROR",
    "message": "Invalid or expired user token",
    "details": {
      "reason": "user_token_validation_failed",
      "tokenDiagnostics": { "...": "..." },
      "nasFailure": {
        "name": "AuthError",
        "message": "Invalid NAS OAuth token",
        "code": "AUTH_ERROR"
      }
    }
  }
}

The same token (fresh, unexpired) successfully mints agent keys via /api/oauth/agent-key and is accepted by inference-api.nousresearch.com/v1/chat/completions. Only the Tool Gateway endpoints reject it, based on the tool_gateway_admin claim.

Steps to reproduce

1. Subscribe to a paid Nous Portal tier (any — I'm on Scale). Subscription created ~2 days before Tool Gateway launch on 2026-04-16 (renewal: 5/14/2026).
2. hermes auth add nous --type oauth (or hermes model → Nous Portal)
3. In config.yaml, set web.backend: firecrawl, web.use_gateway: true (and same for image_gen, tts, browser)
4. hermes status reports: Nous Tool Gateway — Web tools ✓ active via Nous subscription, Image generation ✓ active via Nous subscription, etc. (client thinks all is correct)
5. Prompt any Hermes agent to call web_search
6. Agent invokes → gateway returns AUTH_ERROR as above

Environment

• Hermes Agent: v0.10.0 (2026.4.16), git SHA 77e04a29 (0 commits behind main as of 2026-04-23)
• Portal plan: Scale ($50/mo, paid, $40.38 credits remaining this month — account healthy)
• Renewal: 2026-05-14 (subscription started 2026-04-14, two days before Tool Gateway launch)
• Account sub: cmnit8tqn000cl704ac8x2jn8
• Account email: [email protected]
• OS: Ubuntu 22.04 on Hetzner VPS
• Python: 3.11.15

Investigation — everything verified and ruled out

Request

Please flip tool_gateway_admin to true on account cmnit8tqn000cl704ac8x2jn8 (email: [email protected], Scale subscriber). The pricing page commits to "Hosted tool usage" as a Scale feature, but the backend flag that governs CLI/Hermes-Agent access to *-gateway.nousresearch.com endpoints is not set on my account.

If this is a known provisioning gap for pre-Tool-Gateway-launch subscribers, please consider a backfill job. baekchan-dev in #13301 is a counter-example where Tool Gateway works correctly — some subset of paid accounts were provisioned, a subset was not.

Additional context

• Running a 4-profile Hermes deployment (Pedro, Selim, Omar, Atlas) for a B2B platform. Tool Gateway would unlock web search, image generation, and browser automation for all four agents at no additional cost on my existing subscription.
• Unable to use Discord for support (Discord is banned in Turkey, where I reside). GitHub is my only public channel for this report.
• Happy to provide additional logs, correlation IDs, or assist with debugging — account-level access is the only missing piece.