> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# capy deploy: Set Up Encrypted Production Secrets

> Generate platform-specific deploy tokens via capy deploy — supports Vercel, Cloudflare, Fly, Railway, Render, Heroku, Lambda, Docker, and GitHub Actions.

## Synopsis

```bash theme={null}
capy deploy
```

## Description

Generates a deploy token for this project, opens your browser to a platform-selection page, and prints two environment variables to paste into your platform's secret store:

* **`SECRETS_BLOB`** - a base64 blob containing the deploy ID, an outer-wrapped key material blob (held by the Capy service), and the encrypted env vars. Self-contained.
* **`PROJECT_KEY`** - a hex-encoded 32-byte key. Never leaves your platform's env; never traverses the wire to the Capy service.

At build or boot time `capy run` detects both variables, sends only the outer-wrapped portion of `SECRETS_BLOB` to the service, receives a derived service key (the service verifies the deploy token isn't revoked first), combines that with `PROJECT_KEY` locally to reconstruct the decrypt key, and decrypts the env vars in process memory. The service never learns the project key or the plaintext values.

## Platforms

Capy ships platform-specific instructions for common targets, including:

* **Managed runtimes:** Vercel, Render, Fly.io, Railway, Heroku, Netlify.
* **Container orchestration:** Kubernetes, Docker Swarm, Nomad.
* **CI/CD:** GitHub Actions, GitLab CI, CircleCI.

Pick your platform in the browser and follow the instructions it prints.

### GitHub Actions connector

GitHub Actions has a built-in connector that pushes `SECRETS_BLOB` and `PROJECT_KEY` straight into your repo's Actions secret store over the `gh` CLI - no copy-paste. Pick **GitHub Actions**, then **Push SECRETS\_BLOB + PROJECT\_KEY to GitHub secrets via gh**, and choose repository or environment scope. Flags let it run non-interactively:

```bash theme={null}
capy deploy --platform github-actions --mode connector --scope repo --yes
capy deploy --platform github-actions --mode connector --scope env --env-name production --yes
```

| Flag                          | Effect                                                      |
| ----------------------------- | ----------------------------------------------------------- |
| `--platform <id>`             | Skip the platform picker (e.g. `github-actions`, `vercel`). |
| `--mode connector` \| `token` | Push secrets via `gh`, or print them for manual setup.      |
| `--scope repo` \| `env`       | GitHub Actions: repository vs. environment secrets.         |
| `--env-name <name>`           | GitHub Actions: environment name when `--scope env`.        |
| `--yes`, `-y`                 | Skip confirmation prompts.                                  |

See [Deploying → GitHub Actions](/using/deploying/github-actions) for the full walkthrough.

## How it works at runtime

Wrap your app (or its build step) with `capy run -- <your command>`. `capy run` auto-detects deployed mode when both `SECRETS_BLOB` and `PROJECT_KEY` are set in `process.env`, runs the decrypt flow, and spawns the child with plaintext values in its environment.

For long-running servers (Fly, Render, Railway, Heroku, containers), set it as the entrypoint:

```bash theme={null}
capy run -- node server.js
```

For build-time inlining (Vercel, Netlify, any build-then-deploy platform), wrap the build:

```json theme={null}
"scripts": { "build": "capy run -- next build" }
```

In both cases the two env vars are the only Capy-related things your platform holds. See [Deploying → Vercel](/using/deploying#vercel) for the Next.js walkthrough.

## Revocation

Deploy tokens can be revoked server-side. A revoked token immediately stops working for new builds and boots - already-running processes that have reconstructed the key keep functioning.

## See also

* [Deploying](/using/deploying) - the full flow and patterns
* [Cryptography → Deploying to production](/internals/cryptography#deploying-to-production) - the exact construction
