Hermes Agent has a secrets problem that every developer running AI agents eventually hits: you need a dozen API keys to talk to OpenAI, Anthropic, OpenRouter, and a handful of other providers, and they all end up sitting in a plaintext ~/.hermes/.env file. Rotate one key and you have to hunt down every machine running Hermes. Hermes v0.15 fixes this with native Bitwarden Secrets Manager support.
The plaintext problem with agent workflows
Until now, the biggest friction with agent workflows was authentication. The moment an agent hit a login wall or needed an API key, the loop broke, and you had to step in and hold its hand.
Storing keys in a flat .env file works fine for a single laptop, but it breaks down fast when you are running Hermes across multiple machines, shared dev boxes, or gateway VPSes.
A recent Bitwarden study found that 65% of developers hardcode secrets across development environments , and agent runtimes are no exception. The new integration is a direct answer to that pattern.
One token to rule them all
The integration pulls API keys from Bitwarden Secrets Manager at process startup instead of storing them in plaintext inside ~/.hermes/.env. One bootstrap secret , a machine-account access token , replaces every per-provider key, and rotating a credential becomes a single change in the Bitwarden web app.
The mechanics are straightforward:
- You create a machine account in Bitwarden Secrets Manager, give it read access to a project, and generate an access token. Hermes stores that single token in
Don't miss what's next in AI
Join 300,000+ engineers and researchers who get the signal, not the noise.
- Full access to in-depth AI research breakdowns
- Be the first to know what's trending before it hits mainstream
- Daily curated papers, repos, and industry moves