flyctl secrets set: Fly.io App Secrets in CI
flyctl secrets set KEY=value stores encrypted environment secrets for an app and, by default, deploys a new release so they take effect.
Secrets on Fly are app-scoped env vars. Setting one normally restarts the app; in CI you often stage them and let the next deploy apply them.
What it does
flyctl secrets set writes one or more KEY=value secrets, encrypts them, and rolls out a new release by default. --stage stores them without releasing, so the next flyctl deploy applies them. flyctl secrets list shows names and digests; flyctl secrets unset removes them.
Common usage
flyctl secrets set DATABASE_URL="$DATABASE_URL" API_KEY="$API_KEY" --app my-app
# stage without an immediate release, apply on next deploy
flyctl secrets set SECRET="$SECRET" --stage --app my-app
flyctl deploy --remote-only --app my-appOptions
| Command / flag | What it does |
|---|---|
| secrets set K=V ... | Set one or more secrets (releases by default) |
| --stage | Store without releasing; apply on next deploy |
| --detach | Do not wait for the release to finish |
| secrets list | List secret names and digests |
| secrets unset K | Remove a secret |
| --app <name> | Target app |
In CI
Use --stage when you set secrets right before a deploy so you do not trigger two separate rollouts. Set FLY_API_TOKEN as an env var for auth. Read values from env (API_KEY="$API_KEY") rather than literals to keep them out of the script.
Common errors in CI
"Error: No access token available. Please login with 'flyctl auth login'" means FLY_API_TOKEN is unset. "Error: could not find app" means a wrong --app or fly.toml. Secrets that do not take effect were set with --stage and no subsequent deploy ran.