Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.capy.sc/llms.txt

Use this file to discover all available pages before exploring further.

Docker is the simplest case: capy run is your entrypoint, and the runtime platform (whatever orchestrates the container) sets SECRETS_BLOB and PROJECT_KEY in the container’s env.

Dockerfile

FROM node:22-slim

WORKDIR /app
COPY package.json bun.lock ./
RUN npm install -g @capy/cli && bun install --production

COPY . .

# capy run reads SECRETS_BLOB + PROJECT_KEY from the container env,
# decrypts, and spawns your app with plaintext process.env.
ENTRYPOINT ["capy", "run", "--"]
CMD ["node", "server.js"]
Any language works - swap the base image and the CMD. Python: CMD ["python", "app.py"]. Go: CMD ["./my-binary"]. Ruby: CMD ["bundle", "exec", "rails", "server"].

Running

docker build -t my-app .

docker run \
  -e SECRETS_BLOB="$SECRETS_BLOB" \
  -e PROJECT_KEY="$PROJECT_KEY" \
  -p 3000:3000 \
  my-app
capy deploy → pick Docker prints a docker run snippet with your exact values filled in.

docker-compose

services:
  app:
    build: .
    environment:
      SECRETS_BLOB: ${SECRETS_BLOB}
      PROJECT_KEY: ${PROJECT_KEY}
    ports:
      - "3000:3000"
Set SECRETS_BLOB and PROJECT_KEY in the compose host’s env (your shell, a .env file next to compose.yaml - not the Capy-managed .env inside the project).

Kubernetes

apiVersion: v1
kind: Secret
metadata:
  name: capy-deploy
type: Opaque
stringData:
  SECRETS_BLOB: "eyJkZXBsb3lJZCI6..."
  PROJECT_KEY: "a1b2c3..."
---
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: app
          image: registry.example.com/my-app:latest
          envFrom:
            - secretRef:
                name: capy-deploy
          ports:
            - containerPort: 3000
The container image’s ENTRYPOINT ["capy", "run", "--"] wraps your app; Kubernetes injects the two env vars from the Secret.

Image size

@capy/cli is a single Node binary (~15 MB). If you want a smaller runtime image, multi-stage build with capy run only in the final image - it doesn’t need build tooling.

Revocation

Revoking the deploy token stops new container boots. Running containers keep their in-memory keys until they restart. To force immediate revocation everywhere, rotate the project key.