Claude Code OAuth bypass for hermes-agent, use your Claude Code subscription (Max/Pro) with Hermes.

Patches hermes-agent at runtime to pass Anthropic's server-side OAuth content validation. It does not modify hermes-agent source files. Installation happens through a Python import hook that monkey-patches build_anthropic_kwargs on startup.

On 2026-04-04, Anthropic added server-side validation that rejects OAuth requests from third-party tools. This patch adds the billing header signature and system prompt structure the API expects.

• hermes-agent installed (~/.hermes/hermes-agent/)
• Claude Code CLI authenticated (valid credentials at ~/.claude/.credentials.json)
• hermes-agent configured for OAuth (credential_pool has a claude_code entry in ~/.hermes/auth.json)
• Python 3.11+

curl -fsSL https://raw.githubusercontent.com/kristianvast/hermes-claude-auth/main/install-remote.sh | bash

Or clone manually:

git clone https://github.com/kristianvast/hermes-claude-auth.git
cd hermes-claude-auth
./install.sh

What install.sh does:

• Copies anthropic_billing_bypass.py to ~/.hermes/patches/
• Installs the import hook as sitecustomize.py in the hermes venv's site-packages
• Restarts hermes-gateway.service if running

./uninstall.sh          # remove hook only
./uninstall.sh --purge  # remove hook + patch file

1. Billing header: SHA-256 signed x-anthropic-billing-header injected as system[0]
2. System prompt relocation: Non-identity system entries moved to the first user message as <system-reminder> blocks
3. Beta flags: Adds prompt-caching-scope-2026-01-05 and advisor-tool-2026-03-01
4. Stainless SDK spoof: Lowercase x-stainless-* headers + anthropic-dangerous-direct-browser-access + ?beta=true query param matching real Claude Code 2.1.112
5. Tool name namespacing: Hermes's mcp_bash is rewritten to mcp__hermes__Bash outbound; the response normalizer unwraps it back to bash so hermes's tool dispatcher resolves the registered name without auto-repair noise
6. Tool pair repair: Orphaned tool_use / tool_result blocks (left by long conversations or partial summaries) are stripped before signing — prevents HTTP 400 (upstream PR #136)
7. Haiku effort stripping: effort parameter is removed for haiku models that reject it with HTTP 400 (upstream PR #126)
8. Temperature fix: Strips non-default temperature on Opus 4.6 adaptive thinking, which otherwise rejects with HTTP 400
9. Account metadata: Maps ~/.claude.json::oauthAccount.accountUuid to metadata.user_id (Anthropic rejected the older account_uuid key with HTTP 400 on 2026-04-29)

Installed through a sitecustomize.py MetaPathFinder hook, so it runs at interpreter startup with no source modifications.

• Tested with hermes-agent on Python 3.11+
• Linux and macOS
• Depends on build_anthropic_kwargs(is_oauth=...) in agent.anthropic_adapter, so it may need updating if hermes-agent changes that interface

• "hermes-agent not found": Make sure Hermes is installed at ~/.hermes/hermes-agent/
• "No virtualenv found": Set HERMES_VENV to point to your venv
• Patch not loading: Check journalctl --user -u hermes-gateway -n 50 for [anthropic_billing_bypass] or [hermes-claude-auth] messages

• Anthropic 401 authentication failed or No Anthropic credentials found: Hermes reads Claude subscription credentials from ~/.claude/.credentials.json. If Claude Code is authenticated (e.g. in macOS Keychain) but that file is missing or stale, Hermes fails even when Claude Code itself works.

  On macOS, install.sh v1.1.1+ auto-mirrors the Claude Code-credentials Keychain entry into ~/.claude/.credentials.json on every run, so re-running the installer is usually enough. Full fix:

  1. Refresh Claude subscription login:

     claude auth login --claudeai

  2. Re-run the installer to re-mirror credentials (macOS) and reload the patch:

     ./install.sh

  3. Remove stale ANTHROPIC_TOKEN / ANTHROPIC_API_KEY values from ~/.hermes/.env — they can override subscription auth.
  4. Reset cached credentials:

     hermes auth reset anthropic

  5. Retry with a smoke test:

     hermes chat -q 'Reply with exactly: AUTH TEST OK' --provider anthropic -m claude-sonnet-4-6 -Q

  If the auto-mirror doesn't work (e.g. your Keychain entry is under a different service name), mirror it manually:

  python3 - <<'PY'
  import subprocess
  from pathlib import Path
  
  secret = subprocess.check_output(
      ['security', 'find-generic-password', '-s', 'Claude Code-credentials', '-w'],
      text=True,
  ).strip()
  
  cred_path = Path.home() / '.claude' / '.credentials.json'
  cred_path.parent.mkdir(parents=True, exist_ok=True)
  cred_path.write_text(secret)
  cred_path.chmod(0o600)
  print(f'wrote {cred_path}')
  PY

  Credit: the macOS Keychain mirror approach was written up by @DrQbz in issue #5 and is now automated in install.sh.

• HTTP 400: "Third-party apps now draw from your extra usage, not your plan limits": Anthropic's server-side validation has classified your requests as third-party and routed them to pay-per-token credits instead of your Max/Pro plan. Make sure you're on the latest version of this patch (it tracks the upstream opencode-claude-auth fingerprint changes). Reinstall with ./install.sh and restart hermes-gateway. If the error persists after update, the bypass is currently broken upstream too — track issue #6 for status.
• HTTP 400 persists after update: The billing salt or signature format may have been rotated by Anthropic again. Check for newer commits to this repo.

• griffinmartin/opencode-claude-auth, the original TypeScript implementation for opencode (MIT)
• NousResearch/hermes-agent, the AI agent this patches (MIT)

This uses Claude Code subscription credentials outside the official Claude Code CLI. It works with Anthropic's current OAuth implementation but may break if Anthropic changes their validation. Use at your own risk.

MIT, see LICENSE.