Run a Coding Agent on a VPS Without Exposing Your API Keys

What if you could run a coding agent like Hermes on a VPS 24/7 and never put a real API key on that box? Local agents are great for quick loops, but the moment you want long-running work that keeps state and touches multiple services, your laptop becomes the bottleneck: it sleeps, changes networks, and reboots when you close the lid. Worse, if your credentials live on the same machine as the agent, you are one prompt injection away from those secrets being exfiltrated. This guide walks through a two-box setup on Hetzner where the agent runs autonomously while a separate broker holds every credential. A full step-by-step companion guide is available in the Agent Vault docs.

Prompt injection is a real risk for autonomous agents. If an agent reads or executes something malicious while running in an unattended mode, it can leak whatever secrets it can see. The fix is simple to state: the agent should never see a real credential in the first place. That means the keys cannot live in a .env file on the same machine as the agent.

We use two small Hetzner servers on a shared private network. The first box, AV Broker, runs Agent Vault, an HTTP credential proxy that stores every secret encrypted at rest. The second box, Hermes VPS, runs the agent itself. When Hermes calls an upstream like the GitHub or Anthropic API, it sends a dummy placeholder token; Agent Vault matches the request, injects the real credential at the network boundary, and forwards it upstream. Hermes gets the response back but never touches the raw key. The architecture is agent-agnostic: anything that speaks HTTP, including Claude Code, Codex, or Cursor, can broker through it, and you can fan a whole fleet of agents through one broker.

You need three things up front. First, a Hetzner Cloud account and a project to hold both boxes. Second, an SSH key pair so you can reach the servers; add the public key to the Hetzner console and set it as the default. Third, gather the secrets the demo uses ahead of time: an Anthropic brain key from platform.claude.com, a fine-grained GitHub personal access token from GitHub settings, a Slack bot user OAuth token from api.slack.com/apps, and a Telegram bot token from BotFather. Store them in a password manager or Infisical so they stay organized.

In the Hetzner console, add two servers using the cost-optimized CX23 type with Ubuntu 24.04. Attach both to a new private network (for example 10.0.0.0/16) so they can talk to each other without crossing the public internet, and select your SSH key. Name the first box AV Broker and the second Hermes VPS. Total spend is roughly 10 to 15 euros a month.

By default both boxes have SSH open to the entire internet. Create an inbound firewall rule that only allows port 22 from your own public IP, and apply it to both servers. The boxes still reach each other over the private network, and later you can lock the Hermes outbound firewall so that even a compromised agent can only reach the broker. If your IP changes, update the rule, or use a mesh network like Tailscale for stable addresses.

SSH into AV Broker and install Agent Vault with its one-line installer, which auto-detects your architecture and grabs the latest release. Run it inside a tmux session so it survives SSH disconnects, and bind it to the private IP so it is never exposed publicly. Agent Vault listens on two ports: a control plane for the API and web UI, and a separate man-in-the-middle port that agents route their traffic through for credential injection.

Agent Vault has a few core objects. A vault is the outer isolation boundary that holds secrets, wiring, and the list of allowed agents; create one called prod. A credential is a single encrypted secret stored under a key name. A service is the wiring for an upstream host: it has a host pattern, an auth mode (always pass-through here), and substitution rules that replace a placeholder string with a named credential, in the header, path, or query. Add your four credentials and four matching services, pointing each service at its credential. Because services reference credentials by name, you can rotate a credential without breaking anything.

SSH into Hermes VPS and install the Agent Vault CLI there too, then install Hermes from Nous Research with its setup wizard. Hermes keeps a .env file; the key move is to fill it with the same placeholder strings you configured as substitutions in Agent Vault, not real secrets. When Hermes makes a call, it puts those placeholders into the request and ships it through the proxy, where the real values are swapped in.

In the Agent Vault UI, add an agent named Hermes VPS with the proxy role on the prod vault, and create an invite. That gives you three environment variables for the Hermes box: the vault name, a token that authenticates the agent to the broker, and the broker address. Wrap your run command with the Agent Vault CLI, and Hermes routes its HTTP and HTTPS through the man-in-the-middle proxy. A quick chat in the TUI confirms the brain key is being injected correctly.

To talk to Hermes from your phone instead of the TUI, set up the gateway daemon, wrapping the setup command in the Agent Vault CLI so the wizard inherits the broker configuration. Install it as a systemd service but do not start it immediately, because systemd will not inherit your shell environment and would launch without the broker token. Instead write a gateway.env file with the Agent Vault variables, point a systemd override at it, and then start the service. Restrict the bot to your own Telegram user ID so only you can message it.

With everything wired, text the bot a real task: pull the five most recent commits from a public GitHub repo and post a summary to Slack. Hermes brokers GitHub, Slack, and its Anthropic brain through Agent Vault, reasoning about the fact that it is wrapped in a credential proxy and sending dummy values that get substituted upstream. The summary lands in Slack, and at no point did the agent see a real credential.

That is a full multi-box Hermes and Agent Vault setup on Hetzner for about 10 to 15 euros a month. The architecture is agent-agnostic and works for any HTTP-speaking agent. Both Agent Vault and Hermes are free to use. If you are shipping AI agents to production without a credential brokering layer between them and your secrets, today is the day to add one.