[Bug]: Paid Scale-tier subscriber — tool_gateway_admin: false, every Tool Gateway call rejected with AUTH_ERROR

[camelludo]

Bug Description

Paid Scale-tier ($50/mo) Nous Portal subscriber. Every Tool Gateway call (web_search → Firecrawl, image_generate → FAL, TTS → OpenAI, browser_navigate → Browser Use) returns AUTH_ERROR because the JWT claim tool_gateway_admin is false on my account, despite the Scale plan — and every paid tier including Basic, Plus, Scale, and Max — explicitly listing "Hosted tool usage" as an included feature on portal.nousresearch.com/manage-subscription.

In-browser Nous Chat at chat.nousresearch.com works correctly (messages send, models respond, tool usage presumably billed to the subscription). CLI/Hermes-Agent calls to *-gateway.nousresearch.com are rejected specifically on the tool_gateway_admin claim.

This appears to be a server-side provisioning gap specific to my account (or to a class of pre-April-16 subscribers). No client-side action — OAuth scope, client_id, use_gateway config, hermes setup, hermes model, fresh install, or first-use of Nous Chat — changes the claim.

Related: #13301 reports a different UX bug where hermes setup shows gateway tools as "not configured" even when they work at runtime. In that user's case, the underlying tools function via the gateway — confirming Tool Gateway can work for paid Scale-tier subscribers. Mine does not.

JWT payload on freshly-minted tokens (multiple OAuth client_id variants tested)

Baseline hermes-cli client:

{
  "iat": 1776928664,
  "exp": 1776929564,
  "sub": "cmnit8tqn000cl704ac8x2jn8",
  "aud": "hermes-cli:hermes-cli",
  "iss": "https://portal.nousresearch.com",
  "client_id": "hermes-cli",
  "scope": "inference:mint_agent_key",
  "subscription_tier": 3,
  "tool_gateway_admin": false,
  "token_use": "access",
  "product_id": "nous-hermes-agent",
  "nous_client": "hermes-agent"
}

Alternate nous-chat client (same account, freshly OAuthed via hermes auth add nous --type oauth --client-id nous-chat):

{
  "aud": "hermes-cli:nous-chat",
  "client_id": "nous-chat",
  "scope": "inference:mint_agent_key",
  "subscription_tier": 3,
  "tool_gateway_admin": false,     // same false
  "product_id": "nous-chat",
  "nous_client": "chat"
}

Both clients on the same account yield tool_gateway_admin: false, ruling out client-level gating.

Error response from firecrawl-gateway when calling with the token

{
  "error": {
    "code": "AUTH_ERROR",
    "message": "Invalid or expired user token",
    "details": {
      "reason": "user_token_validation_failed",
      "tokenDiagnostics": { "...": "..." },
      "nasFailure": {
        "name": "AuthError",
        "message": "Invalid NAS OAuth token",
        "code": "AUTH_ERROR"
      }
    }
  }
}

The same token (fresh, unexpired) successfully mints agent keys via /api/oauth/agent-key and is accepted by inference-api.nousresearch.com/v1/chat/completions. Only the Tool Gateway endpoints reject it, based on the tool_gateway_admin claim.

Steps to reproduce

1. Subscribe to a paid Nous Portal tier (any — I'm on Scale). Subscription created ~2 days before Tool Gateway launch on 2026-04-16 (renewal: 5/14/2026).
2. hermes auth add nous --type oauth (or hermes model → Nous Portal)
3. In config.yaml, set web.backend: firecrawl, web.use_gateway: true (and same for image_gen, tts, browser)
4. hermes status reports: Nous Tool Gateway — Web tools ✓ active via Nous subscription, Image generation ✓ active via Nous subscription, etc. (client thinks all is correct)
5. Prompt any Hermes agent to call web_search
6. Agent invokes → gateway returns AUTH_ERROR as above

Environment

• Hermes Agent: v0.10.0 (2026.4.16), git SHA 77e04a29 (0 commits behind main as of 2026-04-23)
• Portal plan: Scale ($50/mo, paid, $40.38 credits remaining this month — account healthy)
• Renewal: 2026-05-14 (subscription started 2026-04-14, two days before Tool Gateway launch)
• Account sub: cmnit8tqn000cl704ac8x2jn8
• Account email: sezaisuda@gmail.com
• OS: Ubuntu 22.04 on Hetzner VPS
• Python: 3.11.15

Investigation — everything verified and ruled out

Hypothesis	Test	Result
Wrong OAuth scope	Probed 14 scope string variants at /api/oauth/device/code	All accepted; no scope unlocks the claim
Wrong OAuth client_id	OAuthed via hermes-cli, nous-chat, hermes-agent	All three mint tokens with tool_gateway_admin: false on my account
Client-side provisioning API missing	grep -rn "/api/tool-gateway" hermes_cli/ tools/	Zero matches — no client-side provisioning endpoint exists anywhere in Hermes source
GitHub code search for tool_gateway_admin	gh search code across all public repos	Zero matches — the claim is set exclusively by closed-source Nous backend
Config missing use_gateway: true	Added per docs, all four tool categories	hermes status reports all tools "active via Nous subscription", runtime still hits AUTH_ERROR
hermes setup / hermes tools path	Source read: setup_tools delegates to tools_command, pure local YAML, zero portal API calls	Cannot affect server-side claim
Stale / expired token	Fresh mint every test (15-min TTL)	Claim identical on fresh and near-expired tokens
First use of Nous Chat	Sent first message via chat.nousresearch.com from browser, then minted fresh token	Still tool_gateway_admin: false
Subscription health	$40.38 credits remaining, SUBSCRIBED status	Account fully healthy

Request

Please flip tool_gateway_admin to true on account cmnit8tqn000cl704ac8x2jn8 (email: sezaisuda@gmail.com, Scale subscriber). The pricing page commits to "Hosted tool usage" as a Scale feature, but the backend flag that governs CLI/Hermes-Agent access to *-gateway.nousresearch.com endpoints is not set on my account.

If this is a known provisioning gap for pre-Tool-Gateway-launch subscribers, please consider a backfill job. baekchan-dev in #13301 is a counter-example where Tool Gateway works correctly — some subset of paid accounts were provisioned, a subset was not.

Additional context

• Running a 4-profile Hermes deployment (Pedro, Selim, Omar, Atlas) for a B2B platform. Tool Gateway would unlock web search, image generation, and browser automation for all four agents at no additional cost on my existing subscription.
• Unable to use Discord for support (Discord is banned in Turkey, where I reside). GitHub is my only public channel for this report.
• Happy to provide additional logs, correlation IDs, or assist with debugging — account-level access is the only missing piece.

[camelludo]

Status update: functionally resolved as of 2026-04-24.

The JWT claim tool_gateway_admin is STILL false on freshly-minted tokens for this account (verified just now):

{
  "sub": "cmnit8tqn000cl704ac8x2jn8",
  "subscription_tier": 3,
  "tool_gateway_admin": false,
  "scope": "inference:mint_agent_key",
  "client_id": "hermes-cli",
  "aud": "hermes-cli:hermes-cli"
}

But the gateway gatekeepers now accept calls from this account. Live tests just completed:

Endpoint	Result
firecrawl-gateway.nousresearch.com/v1/scrape	HTTP 200, full markdown returned (first call). Subsequent retries hit HTTP 409 BILLING_ERROR, but past auth.
fal-queue-gateway.nousresearch.com/fal-ai/flux-2-pro	HTTP 200, image generation queued with request_id
openai-audio-gateway.nousresearch.com/v1/audio/speech (model: gpt-4o-mini-tts)	HTTP 200, returned 66 KB audio/mpeg
browser-use-gateway.nousresearch.com	Auth-open (validates request path; no longer AUTH_ERROR)

No AUTH_ERROR on any of the four gateways — a clear state change from the original report where every Tool Gateway call was rejected on the tool_gateway_admin claim.

Whoever made the server-side change — thank you. A short public note in this issue confirming the gating logic was updated (e.g., "Scale/Plus/Max tier no longer checks tool_gateway_admin, only Free/Basic does") would help other paid subscribers diagnosing similar symptoms, since the JWT claim remains false which looks identical to the original broken state.

Closing from my side. Happy to leave open for the maintainer's acknowledgement or reopen if the change reverts.