Documentation Index
Fetch the complete documentation index at: https://docs.capy.sc/llms.txt
Use this file to discover all available pages before exploring further.
Synopsis
Description
Generates a deploy token for this project, opens your browser to a platform-selection page, and prints two environment variables to paste into your platform’s secret store:SECRETS_BLOB- a base64 blob containing the deploy ID, an outer-wrapped key material blob (held by the Capy service), and the encrypted env vars. Self-contained.PROJECT_KEY- a hex-encoded 32-byte key. Never leaves your platform’s env; never traverses the wire to the Capy service.
capy run detects both variables, sends only the outer-wrapped portion of SECRETS_BLOB to the service, receives a derived service key (the service verifies the deploy token isn’t revoked first), combines that with PROJECT_KEY locally to reconstruct the decrypt key, and decrypts the env vars in process memory. The service never learns the project key or the plaintext values.
Platforms
Capy ships platform-specific instructions for common targets, including:- Managed runtimes: Vercel, Render, Fly.io, Railway, Heroku, Netlify.
- Container orchestration: Kubernetes, Docker Swarm, Nomad.
- CI/CD: GitHub Actions, GitLab CI, CircleCI.
How it works at runtime
Wrap your app (or its build step) withcapy run -- <your command>. capy run auto-detects deployed mode when both SECRETS_BLOB and PROJECT_KEY are set in process.env, runs the decrypt flow, and spawns the child with plaintext values in its environment.
For long-running servers (Fly, Render, Railway, Heroku, containers), set it as the entrypoint:
Revocation
Deploy tokens can be revoked server-side. A revoked token immediately stops working for new builds and boots - already-running processes that have reconstructed the key keep functioning.See also
- Deploying - the full flow and patterns
- Cryptography → Deploying to production - the exact construction