OAuth over SSH / Remote Hosts
Some Hermes providers — xAI Grok OAuth , Spotify , and remote MCP servers (Linear, Sentry, Atlassian, Asana, Figma, …) — use a loopback redirect OAuth flow. The
- Section
- Guides & Tutorials
- Source
- hermesbible.com/docs/guides/oauth-over-ssh
Some Hermes providers — xAI Grok OAuth , Spotify , and remote MCP servers (Linear, Sentry, Atlassian, Asana, Figma, …) — use a loopback redirect OAuth flow. The
Excerpt from the official Hermes Agent documentation, quoted for reference. View sourceWhat this page covers
- TL;DR
- Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect)
- Which Providers Need This
- MCP Servers
- Why the listener can't just bind 0.0.0.0
- Step-by-step: single SSH hop
- 1. Start the tunnel from your local machine
- 2. In a separate SSH session, run the auth command
- 3. Open the URL in your local browser
- Step-by-step: through a jump box
Section outline mirrored from the official Hermes Agent documentation. Follow any heading to read the complete text on the source site.
Upstream outline
- TL;DR
- Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect)
- Which Providers Need This
- MCP Servers
- Why the listener can't just bind 0.0.0.0
- Step-by-step: single SSH hop
- 1. Start the tunnel from your local machine
- 2. In a separate SSH session, run the auth command
- 3. Open the URL in your local browser
- Step-by-step: through a jump box
- Mosh, tmux, ssh ControlMaster
- Troubleshooting
- bind [127.0.0.1]:56121: Address already in use
- "Could not establish connection. We couldn't reach your app." (xAI)
Section map
TL;DR
Maps tl;dr to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect)
Maps browser-only remote (cloud shell / codespaces / ec2 instance connect) to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
Which Providers Need This
Maps which providers need this to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
MCP Servers
Maps mcp servers to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
Why the listener can't just bind 0.0.0.0
Maps why the listener can't just bind 0.0.0.0 to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
Step-by-step: single SSH hop
Maps step-by-step: single ssh hop to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
1. Start the tunnel from your local machine
Maps 1. start the tunnel from your local machine to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
2. In a separate SSH session, run the auth command
Maps 2. in a separate ssh session, run the auth command to the Guides & Tutorials documentation path, with the source page reserved for exact commands and updates.
Implementation notes
- Use this Guides & Tutorials doc as a navigation page first: the local clone mirrors the source structure and links each heading back to the authoritative upstream section.
- Primary decision areas: TL;DR, Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect), Which Providers Need This, MCP Servers, Why the listener can't just bind 0.0.0.0. Read those source anchors before changing installs, credentials, automation, or runtime configuration.
- Useful search signals for this doc: oauth, remote, hosts, providers, spotify. These are derived from the public title and summary so the clone remains lightweight.
Decision table
Use when you need orientation for oauth over ssh / remote hosts before applying exact upstream commands.
Open the source anchor for TL;DR and confirm platform-specific requirements before changing configuration.
Use the upstream page as the authority for current syntax, release changes, and security-sensitive steps.
Verification checklist
- Use this page to orient yourself within Guides & Tutorials, then open the linked source page for exact current syntax.
- Start with the source section for TL;DR; do not rely on the local summary for commands or secrets.
- Check platform, install method, provider, and credential assumptions before changing a real environment.
- Review the source section for Browser-only remote (Cloud Shell / Codespaces / EC2 Instance Connect) if the page involves setup, automation, messaging, or runtime behavior.
- After applying anything from the source, run the smallest relevant smoke test before widening scope.
Risk notes
Treat every token, OAuth grant, secret manager entry, and API key as production-sensitive. Verify least privilege and revocation before reuse.
Keep human review before sending public posts, customer messages, trading instructions, or team notifications.
Set provider, token, and retry limits before scaling the workflow beyond a single test run.
Check filesystem, shell, browser, repository, and server permissions before granting the agent write access.
What this page covers
- xAI Grok OAuth , Spotify
- remote MCP servers (Linear, Sentry, Atlassian, Asana, Figma, …)
- use a loopback redirect OAuth flow. The
Source mirror note
This page is generated from the public Hermes Bible index so the clone has the same route coverage and search surface. It stores the public title, category, summary, and source link locally; use the source page for full upstream text and updates.
Open source page