Skip to main content

Synopsis

capy deploy

Description

Generates a deploy token for this project, opens your browser to a platform-selection page, and prints two environment variables to paste into your platform’s secret store:
  • SECRETS_BLOB - a base64 blob containing the deploy ID, an outer-wrapped key material blob (held by the Capy service), and the encrypted env vars. Self-contained.
  • PROJECT_KEY - a hex-encoded 32-byte key. Never leaves your platform’s env; never traverses the wire to the Capy service.
At build or boot time capy run detects both variables, sends only the outer-wrapped portion of SECRETS_BLOB to the service, receives a derived service key (the service verifies the deploy token isn’t revoked first), combines that with PROJECT_KEY locally to reconstruct the decrypt key, and decrypts the env vars in process memory. The service never learns the project key or the plaintext values.

Platforms

Capy ships platform-specific instructions for common targets, including:
  • Managed runtimes: Vercel, Render, Fly.io, Railway, Heroku, Netlify.
  • Container orchestration: Kubernetes, Docker Swarm, Nomad.
  • CI/CD: GitHub Actions, GitLab CI, CircleCI.
Pick your platform in the browser and follow the instructions it prints.

GitHub Actions connector

GitHub Actions has a built-in connector that pushes SECRETS_BLOB and PROJECT_KEY straight into your repo’s Actions secret store over the gh CLI - no copy-paste. Pick GitHub Actions, then Push SECRETS_BLOB + PROJECT_KEY to GitHub secrets via gh, and choose repository or environment scope. Flags let it run non-interactively:
capy deploy --platform github-actions --mode connector --scope repo --yes
capy deploy --platform github-actions --mode connector --scope env --env-name production --yes
FlagEffect
--platform <id>Skip the platform picker (e.g. github-actions, vercel).
--mode connector | tokenPush secrets via gh, or print them for manual setup.
--scope repo | envGitHub Actions: repository vs. environment secrets.
--env-name <name>GitHub Actions: environment name when --scope env.
--yes, -ySkip confirmation prompts.
See Deploying → GitHub Actions for the full walkthrough.

How it works at runtime

Wrap your app (or its build step) with capy run -- <your command>. capy run auto-detects deployed mode when both SECRETS_BLOB and PROJECT_KEY are set in process.env, runs the decrypt flow, and spawns the child with plaintext values in its environment. For long-running servers (Fly, Render, Railway, Heroku, containers), set it as the entrypoint:
capy run -- node server.js
For build-time inlining (Vercel, Netlify, any build-then-deploy platform), wrap the build:
"scripts": { "build": "capy run -- next build" }
In both cases the two env vars are the only Capy-related things your platform holds. See Deploying → Vercel for the Next.js walkthrough.

Revocation

Deploy tokens can be revoked server-side. A revoked token immediately stops working for new builds and boots - already-running processes that have reconstructed the key keep functioning.

See also

Last modified on June 4, 2026