Synopsis
Description
Generates a deploy token for this project, opens your browser to a platform-selection page, and prints two environment variables to paste into your platform’s secret store:SECRETS_BLOB- a base64 blob containing the deploy ID, an outer-wrapped key material blob (held by the Capy service), and the encrypted env vars. Self-contained.PROJECT_KEY- a hex-encoded 32-byte key. Never leaves your platform’s env; never traverses the wire to the Capy service.
capy run detects both variables, sends only the outer-wrapped portion of SECRETS_BLOB to the service, receives a derived service key (the service verifies the deploy token isn’t revoked first), combines that with PROJECT_KEY locally to reconstruct the decrypt key, and decrypts the env vars in process memory. The service never learns the project key or the plaintext values.
Platforms
Capy ships platform-specific instructions for common targets, including:- Managed runtimes: Vercel, Render, Fly.io, Railway, Heroku, Netlify.
- Container orchestration: Kubernetes, Docker Swarm, Nomad.
- CI/CD: GitHub Actions, GitLab CI, CircleCI.
GitHub Actions connector
GitHub Actions has a built-in connector that pushesSECRETS_BLOB and PROJECT_KEY straight into your repo’s Actions secret store over the gh CLI - no copy-paste. Pick GitHub Actions, then Push SECRETS_BLOB + PROJECT_KEY to GitHub secrets via gh, and choose repository or environment scope. Flags let it run non-interactively:
| Flag | Effect |
|---|---|
--platform <id> | Skip the platform picker (e.g. github-actions, vercel). |
--mode connector | token | Push secrets via gh, or print them for manual setup. |
--scope repo | env | GitHub Actions: repository vs. environment secrets. |
--env-name <name> | GitHub Actions: environment name when --scope env. |
--yes, -y | Skip confirmation prompts. |
How it works at runtime
Wrap your app (or its build step) withcapy run -- <your command>. capy run auto-detects deployed mode when both SECRETS_BLOB and PROJECT_KEY are set in process.env, runs the decrypt flow, and spawns the child with plaintext values in its environment.
For long-running servers (Fly, Render, Railway, Heroku, containers), set it as the entrypoint:
Revocation
Deploy tokens can be revoked server-side. A revoked token immediately stops working for new builds and boots - already-running processes that have reconstructed the key keep functioning.See also
- Deploying - the full flow and patterns
- Cryptography → Deploying to production - the exact construction