When you increasingly have more API keys like OpenAI, Anthropic, OpenRouter, and xAI in Hermes Agent, you can consider Bitwarden Secrets Manager, but don't let it cover local ~/.hermes/.env right away. Starting from v0.15.0, Hermes supports pulling multiple sets of credentials from Bitwarden with a single BWS_ACCESS_TOKEN, suitable for long-term use and team maintenance.
When is it worth moving?
If you only have one OpenRouter key, local .env can also use it; If you have multiple providers, multiple machines, and frequently change keys, Bitwarden is clearly more worry-free. Its core value isn't being "cooler," but rather that after key rotation, you don't have to manually modify files on each server.
Recommended migration order
- Back up the current
~/.hermes/.envfirst, keeping at least one offline copy. - Create the corresponding secrets in Bitwarden, naming them to match the variables read by Hermes.
- First, inject the
BWS_ACCESS_TOKEN, then launch Hermes to check the doctor or configure the source of credentials in the output. - After confirming the new source is available, decide whether to let Bitwarden override the local variable with the same name.
The official documentation mentions that Bitwarden by default is more like source of truth, meaning the value with the same name may override the local env. This behavior is suitable for centralized management but not for beginners who try and adjust simultaneously. You can turn off overwrite first, and only switch after confirming everything is fine.
The easiest pitfall to fall into
First, token permissions are too large, exposing all environments to the same bootstrap token; Second, there are old local keys, so when typing them wrong, you don't know which Hermes actually used; Third, a team member switched to Bitwarden, and after the online service restarted, they suddenly changed credentials. The solution is simple: split tokens for different environments, record the source of credentials, and notify affected gateways and scheduled tasks before changing keys.
