Hermes BibleUnofficial Docs
← All docs Docs / Guides & Tutorials

OAuth over SSH / Remote Hosts

Some Hermes providers — xAI Grok OAuth , Spotify , and remote MCP servers (Linear, Sentry, Atlassian, Asana, Figma, …) — use a loopback redirect OAuth flow. The

Guides & Tutorials
Section
Guides & Tutorials
Source
hermesbible.com/docs/guides/oauth-over-ssh

Some Hermes providers — xAI Grok OAuth , Spotify , and remote MCP servers (Linear, Sentry, Atlassian, Asana, Figma, …) — use a loopback redirect OAuth flow. The

Excerpt from the official Hermes Agent documentation, quoted for reference. View source

What this page covers

Section outline mirrored from the official Hermes Agent documentation. Follow any heading to read the complete text on the source site.

Upstream outline

  1. TL;DR
  2. Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect)
  3. Which Providers Need This
  4. MCP Servers
  5. Why the listener can't just bind 0.0.0.0
  6. Step-by-step: single SSH hop
  7. 1. Start the tunnel from your local machine
  8. 2. In a separate SSH session, run the auth command
  9. 3. Open the URL in your local browser
  10. Step-by-step: through a jump box
  11. Mosh, tmux, ssh ControlMaster
  12. Troubleshooting
  13. bind [127.0.0.1]:56121: Address already in use
  14. "Could not establish connection. We couldn't reach your app." (xAI)

Section map

TL;DR

Maps tl;dr to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect)

Maps browser-only remote (cloud shell / codespaces / ec2 instance connect) to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

Which Providers Need This

Maps which providers need this to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

MCP Servers

Maps mcp servers to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

Why the listener can't just bind 0.0.0.0

Maps why the listener can't just bind 0.0.0.0 to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

Step-by-step: single SSH hop

Maps step-by-step: single ssh hop to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

1. Start the tunnel from your local machine

Maps 1. start the tunnel from your local machine to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

2. In a separate SSH session, run the auth command

Maps 2. in a separate ssh session, run the auth command to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.

Implementation notes

  • Use this Guides & Tutorials doc as a navigation page first: the local clone mirrors the source structure and links each heading back to the authoritative upstream section.
  • Primary decision areas: TL;DR, Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect), Which Providers Need This, MCP Servers, Why the listener can't just bind 0.0.0.0. Read those source anchors before changing installs, credentials, automation, or runtime configuration.
  • Useful search signals for this doc: oauth, remote, hosts, providers, spotify. These are derived from the public title and summary so the clone remains lightweight.

Decision table

Best fitGuides & Tutorials documentation

Use when you need orientation for oauth over ssh / remote hosts before applying exact upstream commands.

Verify firstTL;DR

Open the source anchor for TL;DR and confirm platform-specific requirements before changing configuration.

Escalate to sourceCommands, credentials, runtime behavior

Use the upstream page as the authority for current syntax, release changes, and security-sensitive steps.

Verification checklist

  1. Use this page to orient yourself within Guides & Tutorials, then open the linked source page for exact current syntax.
  2. Start with the source section for TL;DR; do not rely on the local summary for commands or secrets.
  3. Check platform, install method, provider, and credential assumptions before changing a real environment.
  4. Review the source section for Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect) if the page involves setup, automation, messaging, or runtime behavior.
  5. After applying anything from the source, run the smallest relevant smoke test before widening scope.

Risk notes

Credentials

Treat every token, OAuth grant, secret manager entry, and API key as production-sensitive. Verify least privilege and revocation before reuse.

External messages

Keep human review before sending public posts, customer messages, trading instructions, or team notifications.

Model spend

Set provider, token, and retry limits before scaling the workflow beyond a single test run.

Runtime access

Check filesystem, shell, browser, repository, and server permissions before granting the agent write access.

What this page covers

  • xAI Grok OAuth , Spotify
  • remote MCP servers (Linear, Sentry, Atlassian, Asana, Figma, …)
  • use a loopback redirect OAuth flow. The

Source mirror note

This page is generated from the public Hermes Bible index so the clone has the same route coverage and search surface. It stores the public title, category, summary, and source link locally; use the source page for full upstream text and updates.

Open source page