Skip to main content
Hermes receives webhook events on port 8644, which Agent37 keeps credential-protected by default. This page covers the Agent37-specific step: giving that port a stable public URL without exposing the Agent API on port 3737. For Hermes route configuration, payload templates, delivery targets, and supported signatures, use the Hermes webhook guide.

1. Create the Hermes subscription

Open the Hermes dashboard on port 9119 with a signed URL, then select Webhooks. Enable the receiver if needed and create a subscription. Agent37 manages the Hermes gateway restart. Hermes shows a local URL and a signing secret when the subscription is created:
Copy the secret when Hermes shows it. Keep the /webhooks/call-ended path; replace only the local origin below.

2. Give port 8644 a named URL

Add a prefix to make the hostname readable and stable:
A prefix produces {prefix}-{instanceId}.agent37.app; it does not claim a global bare hostname. Omit prefix if you prefer a random, unguessable hostname. See Public ports for creation-time configuration, rotation, and limits.

3. Replace the local origin

Combine the returned Agent37 origin with the path Hermes showed:
Configure the external service with this URL and the Hermes signing secret. The public URL supplies reachability; Hermes still authenticates the delivery using the signature rules in its documentation. Test the subscription locally from the instance terminal, then use the provider’s test-delivery feature:
Do not test with {url}/health. Agent37 reserves /health at the edge, so that path does not reach Hermes.