Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.capy.sc/llms.txt

Use this file to discover all available pages before exploring further.

All three platforms follow the same pattern: they invoke a start command on a long-running container. Wrap it with capy run and set SECRETS_BLOB + PROJECT_KEY in their env var UI.

The pattern

// package.json
{
  "scripts": {
    "start": "capy run -- node server.js"
  }
}
Platform runs npm start (or equivalent). capy run decrypts .env or the blob on boot, spawns node server.js with plaintext process.env, the server runs until killed. Any runtime works - just swap the inner command:
  • Python: capy run -- python app.py
  • Go: capy run -- ./my-binary
  • Ruby: capy run -- bundle exec rails server

Railway

  1. Install: add @capy/cli as a dep (bun add @capy/cli). Railway will install it during the build step.
  2. Start command: either use the start script in package.json (Railway runs npm start by default) or set a custom start command in Railway’s service settings: capy run -- <your cmd>.
  3. Env vars: set SECRETS_BLOB and PROJECT_KEY in Variables (Railway dashboard).
  4. Deploy: push to the connected git branch.

Render

  1. Install: @capy/cli as a dep.
  2. Start command: in Render’s service settings → Start Command, set capy run -- <your cmd>.
  3. Env vars: Environment tab → add SECRETS_BLOB and PROJECT_KEY.
  4. Deploy: push, Render picks up the new build.

Heroku

# Procfile
web: capy run -- node server.js

heroku config:set \
  SECRETS_BLOB="..." \
  PROJECT_KEY="..."

git push heroku main
@capy/cli needs to be in dependencies (not devDependencies) so Heroku installs it for the runtime dyno.

Per-environment secrets

Each platform has a separate env var store per service / environment. Running capy deploy once per environment and pasting the per-env output into the right env-var store gives you distinct secrets per environment:
  • Railway: create a new Capy deploy token for each Railway environment (Production, Staging, etc.)
  • Render: same - each service instance gets its own token
  • Heroku: each Heroku pipeline stage gets its own config vars

Revocation

Revoke the deploy token → next redeploy or dyno restart fails to decrypt. Already-running dynos keep their in-memory keys until they recycle. For instant revocation across all running instances, rotate the project key.