Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix Camofox browser: all operations fail with 403 when CAMOFOX_API_KEY is set [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#20476Fetched 2026-05-06 06:36:40
View on GitHub
Comments
0
Participants
1
Timeline
5
Reactions
0
Author
rijoymanghat84rijoymanghat84
Participants
rijoymanghat84rijoymanghat84
Timeline (top)
labeled ×3cross-referenced ×1referenced ×1

Root Cause

Five HTTP call sites in tools/browser_camofox.py call requests.post/get/delete without headers=_auth_headers():

FunctionMissing
_ensure_tab()headers=_auth_headers()
_post()headers=_auth_headers()
_get()headers=_auth_headers()
_get_raw()headers=_auth_headers()
_delete()headers=_auth_headers()

Fix Action

Fix

Add headers=_auth_headers() to all five calls. For _ensure_tab() (defined before _auth_headers), inline:

key = os.getenv("CAMOFOX_API_KEY", "").strip()
headers = {"Authorization": f"Bearer {key}"} if key else {}
resp = requests.post(f"{base}/tabs", json=body, timeout=30, headers=headers)

Also clear __pycache__/browser_camofox*.pyc after patching.

PR fix notes

PR #20479: fix(browser): send Authorization header in Camofox HTTP calls when CAMOFOX_API_KEY is set

Description (problem / solution / changelog)

Summary

When CAMOFOX_API_KEY is set, all Camofox browser operations return 403 Forbidden because the five HTTP call sites in tools/browser_camofox.py never attach the Authorization: Bearer header.

Root Cause

The _auth_headers() helper was never created, and none of the five HTTP functions (_ensure_tab, _post, _get, _get_raw, _delete) passed auth headers to requests.post/get/delete.

Fix

  • Added _auth_headers() helper that reads CAMOFOX_API_KEY from environment and returns {"Authorization": "Bearer <key>"} (or {} if unset/blank).
  • Wired headers=_auth_headers() into all five HTTP call sites.
  • The /health endpoint is left without auth since it is a connectivity probe, not a browser operation.

Regression Coverage

8 new tests in tests/tools/test_browser_camofox_auth.py:

  • TestAuthHeaders (3 tests): unit tests for the helper — empty when no key, bearer when key set, empty when blank.
  • TestAuthHeadersSent (4 tests): integration tests verifying each HTTP call site passes auth headers when key is set.
  • TestNoAuthHeadersWhenKeyUnset (1 test): verifies empty headers when key is not set.

All 23 existing Camofox tests continue to pass.

Testing

scripts/run_tests.sh tests/tools/test_browser_camofox.py tests/tools/test_browser_camofox_auth.py

Fixes Camofox browser: all operations fail with 403 when CAMOFOX_API_KEY is set #20476

Changed files

  • gateway/platforms/whatsapp.py (modified, +4/-1)
  • tests/tools/test_browser_camofox_auth.py (added, +111/-0)
  • tests/tools/test_file_tools.py (modified, +37/-0)
  • tools/browser_camofox.py (modified, +13/-4)
  • tools/file_tools.py (modified, +6/-6)

Code Example

key = os.getenv("CAMOFOX_API_KEY", "").strip()
headers = {"Authorization": f"Bearer {key}"} if key else {}
resp = requests.post(f"{base}/tabs", json=body, timeout=30, headers=headers)
RAW_BUFFERClick to expand / collapse

Bug Description

When a Camofox browser server has CAMOFOX_API_KEY auth enabled, Hermes fails to authenticate all HTTP requests to the Camofox REST API. Every browser operation (navigate, type, click, snapshot, press, scroll, back, close) returns 403 Forbidden.

The Camofox server correctly enforces auth — the Authorization: Bearer header is simply never attached to outgoing requests from tools/browser_camofox.py.

Steps to Reproduce

  1. Start a Camofox server with CAMOFOX_API_KEY set
  2. Set CAMOFOX_URL and CAMOFOX_API_KEY in Hermes
  3. Trigger any browser tool — all return 403

Root Cause

Five HTTP call sites in tools/browser_camofox.py call requests.post/get/delete without headers=_auth_headers():

FunctionMissing
_ensure_tab()headers=_auth_headers()
_post()headers=_auth_headers()
_get()headers=_auth_headers()
_get_raw()headers=_auth_headers()
_delete()headers=_auth_headers()

Fix

Add headers=_auth_headers() to all five calls. For _ensure_tab() (defined before _auth_headers), inline:

key = os.getenv("CAMOFOX_API_KEY", "").strip()
headers = {"Authorization": f"Bearer {key}"} if key else {}
resp = requests.post(f"{base}/tabs", json=body, timeout=30, headers=headers)

Also clear __pycache__/browser_camofox*.pyc after patching.

Contrast

OpenClaw's @askjo/camofox-browser plugin works correctly — this is a Hermes-specific omission in the native Camofox integration.

extent analysis

TL;DR

Add the headers=_auth_headers() parameter to the five HTTP call sites in tools/browser_camofox.py to include the Authorization: Bearer header in outgoing requests.

Guidance

  • Verify that the CAMOFOX_API_KEY environment variable is set correctly and the CAMOFOX_URL is configured properly in Hermes.
  • Check the tools/browser_camofox.py file for the five functions listed in the Root Cause section and ensure that headers=_auth_headers() is added to each of their requests.post/get/delete calls.
  • After applying the fix, clear the __pycache__/browser_camofox*.pyc files to ensure the changes take effect.
  • Test the browser operations (navigate, type, click, snapshot, press, scroll, back, close) to confirm that the 403 Forbidden error is resolved.

Example

For the _ensure_tab() function, the fix can be applied by inlining the headers dictionary as shown in the provided code snippet:

key = os.getenv("CAMOFOX_API_KEY", "").strip()
headers = {"Authorization": f"Bearer {key}"} if key else {}
resp = requests.post(f"{base}/tabs", json=body, timeout=30, headers=headers)

Notes

This fix is specific to the Hermes native Camofox integration and does not affect the OpenClaw @askjo/camofox-browser plugin.

Recommendation

Apply the workaround by adding headers=_auth_headers() to the five HTTP call sites in tools/browser_camofox.py, as this directly addresses the identified root cause of the issue.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#authentication setup#request error#file not found#serialization error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - ✅(Solved) Fix Camofox browser: all operations fail with 403 when CAMOFOX_API_KEY is set [1 pull requests, 1 participants]