fly secrets set Command Reference
Set encrypted runtime secrets on a Fly.io application.
fly secrets set stores encrypted environment variables that your app reads at runtime. By default setting a secret triggers a redeploy so the new value takes effect.
What it does
fly secrets set writes one or more encrypted secrets to the apps vault and, unless told otherwise, stages a new release so running machines pick up the values. Secrets are never returned in plaintext after they are set.
Common flags and usage
- KEY=VALUE ...: one or more secrets to set
- --app NAME: target a specific app
- --stage: stage the secret without deploying now
- --detach: do not wait for the triggered release to finish
- pipe values via stdin to avoid them appearing in process args
Example
- name: Set Fly secrets
env:
FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
run: |
flyctl secrets set --app my-app --stage \
DATABASE_URL="${{ secrets.DATABASE_URL }}" \
SESSION_KEY="${{ secrets.SESSION_KEY }}"In CI
Use --stage when you want to set secrets and then deploy in a controlled step rather than triggering an implicit redeploy. Source values from CI secrets and prefer stdin or env interpolation so plaintext never lands in shell history or job logs.
Key takeaways
- fly secrets set stores encrypted runtime secrets for a Fly.io app.
- Setting a secret redeploys by default; use --stage to defer the release.
- Source values from CI secrets and keep plaintext out of logs.