Hermes LoopHermes Loop
Integrations · Slack

Slack slash commandPOST inbound /foundry slash command → InboxItem + triage.

← IntegrationsOpen inbox →
What this is
Accepts Slack slash-command POSTs (/foundry <objective>) — verifies the Slack signing-secret HMAC and replies with an ephemeral ack.
What to do
POST to POST /api/integrations/slack. Each command creates an InboxItem and queues a TRIAGE_INBOX job. Slack receives a quick ephemeral ack so the slash command doesn't time out.
What happens next
Open /inbox to see the new item; the worker triages on its next tick and turns it into a mission.
Inbound
Active

Accepting unsigned posts (fine for local dev). Set the signing secret below to require HMAC.

Outbound
Optional

Add a webhook URL or bot token below to receive approval notifications.

Try it now
# Local JSON test (skips Slack signing — works because the route also accepts JSON):
curl -X POST https://hermes-agent.vercel.app/api/integrations/slack \
  -H "Content-Type: application/json" \
  -d '{"command":"/foundry","text":"audit https://example.com","user_name":"vlk","channel_name":"qa","team_id":"T123"}'

# Real Slack slash command:
# Configure /foundry as a slash command at api.slack.com/apps,
# pointing at https://hermes-agent.vercel.app/api/integrations/slack and using SLACK_SIGNING_SECRET.

On success the response includes inboxItemId; the item appears in /inbox and a TRIAGE_INBOX job is queued for the worker.

Setup steps
  1. Create a Slack app at api.slack.com/apps.
  2. Add a slash command /foundry with request URL https://hermes-agent.vercel.app/api/integrations/slack.
  3. Copy the app's Signing Secret into SLACK_SIGNING_SECRET in .env.local.
  4. Install the app to your workspace.
  5. Try /foundry audit https://example.com in any channel.

Recent inbound

Nothing yet. Run the test command above and refresh.
Developer detailsShow env vars + signing
Environment variables
SLACK_SIGNING_SECREToptionalWhen set, inbound POSTs must include a valid X-Slack-Signature header (HMAC-SHA256 of `v0:<ts>:<body>`) and a fresh X-Slack-Request-Timestamp (within 5 min). Without it, JSON test posts still work for local dev.

Secrets are read from process.env only. They are never logged or shown anywhere in the UI.