Skip to main content
The capy run command decrypts your .env in memory and hands the plaintext to your Python process. Your code reads env vars the normal way: os.environ, os.getenv, or libraries like python-dotenv.
1

Install the CLI

brew install capysc/tap/capy
npm install -g @capysc/cli
bun add -g @capysc/cli
2

Sync your secrets

From a project that has a .env:
capy
Capy authenticates you, creates a project on first run, encrypts every value in .env, and gitignores the file. Only keep.lock (a small versioning manifest) gets committed.
3

Run your app with capy run

Prefix whatever command you normally run:
capy run -- python app.py
capy run -- python -m uvicorn main:app
capy run -- pytest
Capy reads .env, decrypts values, and passes them as environment variables to the child process. Your code reads them the usual way:
import os

db_url = os.environ["DATABASE_URL"]
4

Invite a teammate

capy invite teammate@example.com
Capy prints a one-line redeem code. Send it out-of-band (Signal, password manager). They run capy redeem <code> to join.
5

Deploy

capy deploy
Capy walks you through hooking up the deploy platform of your choice - Vercel, Fly.io, Railway, Render, Kubernetes, and more.

What’s next

Running your app

The full story on capy run - signals, exit codes, env precedence.

Deploying

How deploy tokens work and what your platform needs.
Last modified on June 10, 2026