Skip to content
Latchkey

flyctl secrets set: Fly.io App Secrets in CI

flyctl secrets set KEY=value stores encrypted environment secrets for an app and, by default, deploys a new release so they take effect.

Secrets on Fly are app-scoped env vars. Setting one normally restarts the app; in CI you often stage them and let the next deploy apply them.

What it does

flyctl secrets set writes one or more KEY=value secrets, encrypts them, and rolls out a new release by default. --stage stores them without releasing, so the next flyctl deploy applies them. flyctl secrets list shows names and digests; flyctl secrets unset removes them.

Common usage

Terminal
flyctl secrets set DATABASE_URL="$DATABASE_URL" API_KEY="$API_KEY" --app my-app
# stage without an immediate release, apply on next deploy
flyctl secrets set SECRET="$SECRET" --stage --app my-app
flyctl deploy --remote-only --app my-app

Options

Command / flagWhat it does
secrets set K=V ...Set one or more secrets (releases by default)
--stageStore without releasing; apply on next deploy
--detachDo not wait for the release to finish
secrets listList secret names and digests
secrets unset KRemove a secret
--app <name>Target app

In CI

Use --stage when you set secrets right before a deploy so you do not trigger two separate rollouts. Set FLY_API_TOKEN as an env var for auth. Read values from env (API_KEY="$API_KEY") rather than literals to keep them out of the script.

Common errors in CI

"Error: No access token available. Please login with 'flyctl auth login'" means FLY_API_TOKEN is unset. "Error: could not find app" means a wrong --app or fly.toml. Secrets that do not take effect were set with --stage and no subsequent deploy ran.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →