> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Fly.io Machines: Encrypted Secrets via capy run

> Deploy to Fly.io with end-to-end encrypted secrets — use capy run as your Machine entrypoint and inject SECRETS_BLOB via flyctl secrets set. Auto-restart safe.

Fly Machines are long-running containers. Same pattern as [Docker](/using/deploying/docker): `capy run` wraps your process, and `flyctl secrets set` puts `SECRETS_BLOB` and `PROJECT_KEY` into the Machine's env.

## Dockerfile

```dockerfile theme={null}
FROM node:22-slim

WORKDIR /app
RUN npm install -g @capysc/cli

COPY package.json bun.lock ./
RUN bun install --production
COPY . .

EXPOSE 3000
ENTRYPOINT ["capy", "run", "--"]
CMD ["node", "server.js"]
```

## fly.toml

```toml theme={null}
app = "my-app"
primary_region = "sjc"

[build]

[http_service]
  internal_port = 3000
  force_https = true

[[vm]]
  memory = "512mb"
  cpu_kind = "shared"
```

No special Fly config needed - standard `http_service` on the port your app listens on.

## Setting secrets

```bash theme={null}
capy deploy      # pick Fly.io; copy the printed values

flyctl secrets set \
  SECRETS_BLOB="<value-from-capy-deploy>" \
  PROJECT_KEY="<value-from-capy-deploy>"
```

Fly restarts the Machines automatically after `flyctl secrets set`. The first boot under the new deploy code calls Capy's service once, caches the decrypted env for the Machine's lifetime, and serves traffic.

## Deploying

```bash theme={null}
flyctl deploy
```

That's it. The image has `capy run` as its entrypoint; Fly has the deploy-code secrets; every new Machine decrypts at boot.

## Verifying

Shell into a running Machine and inspect its env:

```bash theme={null}
flyctl ssh console
# Inside the Machine:
env | grep -E "DATABASE_URL|STRIPE"  # should show plaintext
```

`SECRETS_BLOB` and `PROJECT_KEY` are still set too - `capy run` passes the parent env through to the child.

## Revocation

Revoke the deploy token → next Machine boot fails to decrypt, Fly's health checks flag the bad rollout, traffic stays on the previous Machines. Rotate the project key instead if you need to kill all running Machines' ability to decrypt.
