Gene Library Courses Download Pricing Contact Sign in
fly-io logo
cloud Official Website

Fly.io MCP Server – Apps and Machines Control

Fly.io's official flyctl MCP server gives AI agents structured access to supported Fly.io application and infrastructure commands. Use it to inspect and manage apps, Machines, certificates, logs, organizations, secrets, status, and volumes from an MCP-compatible client.

#app-deployment#virtual-machines#edge-infrastructure

Overview

Fly.io's official MCP server is built into the flyctl command-line tool. It
exposes supported Fly.io commands as MCP tools, allowing compatible AI clients
to inspect and manage live Fly.io resources without requiring every flyctl
command to be entered manually.

What the MCP server enables

Fly.io documents support for most commands and subcommands in several core
resource areas. Depending on the authenticated account and organization
permissions, an AI agent can:

  • Manage Fly Apps.
  • Inspect and manage Fly Machines.
  • View and manage application certificates.
  • Retrieve application logs.
  • Inspect Fly.io platform information.
  • Work with organizations and organization membership.
  • Read or manage application secrets.
  • Retrieve application status and deployment details.
  • Inspect and manage Fly Volumes.

The available tool set reflects the capabilities exposed by the installed
flyctl version, so upgrading flyctl may add or change supported tools.

When to use it

Use the Fly.io MCP server when an AI workflow needs current Fly.io
infrastructure context or must perform an approved operation. Typical examples
include listing apps, checking deployment status, reviewing logs, inspecting
Machines, updating application secrets, checking certificates, reviewing
organization resources, or managing persistent volumes.

Connection and authentication

The standard local configuration runs fly mcp server over stdio. Fly.io can
automatically add the server to supported clients with flags such as
--claude, --cursor, --vscode, --windsurf, --zed, or --neovim.

The server also supports SSE with --sse and Streaming HTTP with --stream.
By default, network transports bind to 127.0.0.1 on port 8080. The bind
address can be changed with --bind-addr.

Authentication is resolved from a bearer token supplied in the request, the
--access-token command flag, or the FLY_ACCESS_TOKEN environment variable.
An authenticated flyctl session can also provide the required account context.

Key considerations

Fly.io currently marks the MCP server as experimental. Tool calls can create or
modify real infrastructure, reveal logs, rotate secrets, or affect running
applications. Require human confirmation for write or destructive operations,
use narrowly scoped access tokens, and avoid exposing the network server beyond
localhost without strong access controls. Fly.io warns that remotely exposing
the server can allow others to run commands on the user's behalf. Keep
flyctl updated and test changes in non-production applications first.

Supported Transports

stdio

Command: fly

Args:

  • mcp
  • server

streamable_http

URL: http://127.0.0.1:8080

sse

URL: http://127.0.0.1:8080

Frequently Asked Questions

When should an AI agent use the Fly.io MCP server?
Use it when a workflow needs live Fly.io application or infrastructure context, such as listing apps, inspecting Machines, reviewing logs, checking status, managing certificates, working with organizations, updating secrets, or inspecting volumes.
What does the Fly.io MCP server add to an AI agent's capabilities?
It gives the agent structured access to supported flyctl commands and live Fly.io resources, allowing it to inspect and manage current infrastructure instead of relying only on static model knowledge or manually copied CLI output.
What can an AI agent access or manage through Fly.io MCP?
Depending on account permissions and the installed flyctl version, the agent can work with apps, Machines, certificates, logs, organizations, platform information, secrets, application status, deployment details, and persistent volumes.
How is authentication configured for the Fly.io MCP server?
Authentication can come from a bearer token in the request, the --access-token command option, the FLY_ACCESS_TOKEN environment variable, or an authenticated flyctl session. Store tokens securely and grant only the permissions required by the intended workflow.
Which transport should be used for the Fly.io MCP server?
Use stdio with `fly mcp server` for the standard local configuration. Use Streaming HTTP with `--stream` or SSE with `--sse` only when a network transport is required, and keep the server bound to localhost unless strong access controls are in place.