> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Railway, Render & Heroku: Secrets via capy run

> Deploy to Railway, Render, or Heroku with end-to-end encrypted secrets. Wrap your start command with capy run and set SECRETS_BLOB per environment.

All three platforms follow the same pattern: they invoke a start command on a long-running container. Wrap it with `capy run` and set `SECRETS_BLOB` + `PROJECT_KEY` in their env var UI.

## The pattern

```json theme={null}
// package.json
{
  "scripts": {
    "start": "capy run -- node server.js"
  }
}
```

Platform runs `npm start` (or equivalent). `capy run` decrypts `.env` or the blob on boot, spawns `node server.js` with plaintext `process.env`, the server runs until killed.

Any runtime works - just swap the inner command:

* Python: `capy run -- python app.py`
* Go: `capy run -- ./my-binary`
* Ruby: `capy run -- bundle exec rails server`

## Railway

1. **Install**: add `@capysc/cli` as a dep (`bun add @capysc/cli`). Railway will install it during the build step.
2. **Start command**: either use the `start` script in `package.json` (Railway runs `npm start` by default) or set a custom start command in Railway's service settings: `capy run -- <your cmd>`.
3. **Env vars**: set `SECRETS_BLOB` and `PROJECT_KEY` in **Variables** (Railway dashboard).
4. **Deploy**: push to the connected git branch.

## Render

1. **Install**: `@capysc/cli` as a dep.
2. **Start command**: in Render's service settings → **Start Command**, set `capy run -- <your cmd>`.
3. **Env vars**: **Environment** tab → add `SECRETS_BLOB` and `PROJECT_KEY`.
4. **Deploy**: push, Render picks up the new build.

## Heroku

```procfile theme={null}
# Procfile
web: capy run -- node server.js
```

```bash theme={null}
heroku config:set \
  SECRETS_BLOB="..." \
  PROJECT_KEY="..."

git push heroku main
```

`@capysc/cli` needs to be in `dependencies` (not `devDependencies`) so Heroku installs it for the runtime dyno.

## Per-environment secrets

Each platform has a separate env var store per service / environment. Running `capy deploy` once per environment and pasting the per-env output into the right env-var store gives you distinct secrets per environment:

* Railway: create a new Capy deploy token for each Railway environment (Production, Staging, etc.)
* Render: same - each service instance gets its own token
* Heroku: each Heroku pipeline stage gets its own config vars

## Revocation

Revoke the deploy token → next redeploy or dyno restart fails to decrypt. Already-running dynos keep their in-memory keys until they recycle. For instant revocation across all running instances, rotate the project key.
