ceven

Fly

Manages your global infrastructure by automating VM deployments, health monitoring, and network configuration across Fly regions.

Try Fly in Ceven

Ask Ceven anything
Standard

Why use Ceven?

  1. AI native Fly integration

    • Describe the outcome and Ceven picks the right Fly calls, fills the parameters, and checks the result.
    • Structured, agent friendly tool schemas so each call runs reliably instead of by guesswork.
    • Rich coverage for reading, writing, and querying your Fly data, across all 45 of its actions.

  2. Managed auth

    • Built in OAuth with automatic token refresh and rotation.
    • One place to manage, scope, and revoke Fly access.
    • Per user and per environment credentials instead of shared keys.

  3. Agent optimized design

    • Actions are tuned from real success and error rates so reliability climbs over time.
    • Full execution logs so you always know what ran in Fly, when, and on whose behalf.
    • The agent pauses and asks when Fly is unclear instead of plowing ahead.

  4. Enterprise grade security

    • Fine grained access so you control which agents and people can reach Fly.
    • Least privilege by default, read scopes first and only the writes a workflow needs.
    • A full audit trail of every Fly action to support review and sign off.

Supported tools

Every action Ceven's agents can run on Fly, and when to use it.

Check app availability
Use this when you need to validate if a proposed app name is available before attempting to create a new app.
Create health check
Set up automated health monitoring for a URL from multiple geographic locations to track uptime.
Run health check
Use this to manually trigger a run of an existing health check job for immediate testing.
Add WireGuard peer
Add a WireGuard peer connection to an organization for private network access between infrastructure.
Get app details
Pull detailed information about a specific application including certificates and configuration.
List machines
Retrieve information about deployed machines including their state, region, and creation time.
Get latest image tag
Find the most recent version of a Docker image available in the Fly registry.
Issue SSH certificate
Generate an SSH certificate in OpenSSH format to authenticate access to machines or apps.
Get nearest region
Determine which Fly region has the lowest latency based on the current requesting client location.
Detach Postgres cluster
Use this to remove database connectivity from an application and revoke access credentials.
List organization apps
Pull a full list of all applications associated with a specific organization slug.
Get platform info
Retrieve available regions, VM sizes, and current platform version details.
Get personal organization
Check credit balance, saved payment methods, and personal organization certificates.
List add ons
Retrieve all add ons associated with an organization including provider and status.
Check App Name Availability
Tool to validate an app name for Fly.io app creation. Use when you need to check if a proposed app name is available before attempting to create a new app. Returns availability status via GraphQL query.
Check Jobs
Execute GraphQL queries against the Fly.io checkJobs endpoint. Retrieves check jobs with their schedules, URLs, and configuration. Supports pagination via first/last/after/before parameters. Returns both data and errors for flexible error h
Check User Only Token
Check whether the authentication token only allows user access. Returns false if the token allows organization access, true if it only allows user access.
Create Health Check Job
Tool to create a health check job for monitoring application endpoints in Fly.io. Use when you need to set up automated health monitoring for a URL from multiple geographic locations.
Create Check Job Run
Triggers a run of an existing health check job on Fly.io. Use when you need to manually trigger a health check for monitoring or testing purposes.
Create Delegated WireGuard Token
Tool to create a delegated WireGuard token for peer management in a Fly.io organization. Use when you need to generate a token for managing WireGuard peers with delegated access.
Create Third Party Configuration
Tool to create a third party service configuration for discharging macaroon caveats. Use when you need to configure external authorization services for Fly.io token validation.
Delete Delegated WireGuard Token
Tool to delete a delegated WireGuard token from a Fly.io organization. Use when you need to revoke or remove an existing WireGuard token that was previously created. Either token or name must be provided to identify which token to delete.
Delete Organization
Tool to delete a Fly.io organization and all its associated resources using the GraphQL API. Use when you need to permanently remove an organization. This operation is irreversible.
Delete Remote Builder
Tool to delete a remote builder configuration for a Fly.io organization. Use when you need to remove the remote builder setup from an organization.
Delete Third Party Configuration
Tool to delete a third party service configuration from Fly.io. Use when you need to remove an existing third party service integration or configuration that was previously created.
Establish SSH Key
Tool to establish an SSH key for a Fly.io organization. Use when setting up SSH access for secure connections to Fly.io infrastructure.
Fetch Nodes by IDs
Fetches a list of node objects from Fly.io given a list of IDs using the GraphQL nodes query. Use when you need to retrieve multiple objects by their IDs in a single request. Supports all Node interface types including Organization, App, Ma
Get Add On
Tool to find a Fly.io add on by ID, name, or provider. Use when you need to retrieve details about a specific add on. Returns add on information including status, organization, region, and access URLs.
Get Add On Provider
Tool to query information about a specific Fly.io add on provider (extension) by name. Returns provider details including provisioning settings, terms of service, and configuration options.
Get Certificate
Tool to retrieve a certificate by its ID from Fly.io. Use when you need to get details about a specific certificate including hostname, creation date, and configuration status.

30 actions · scroll to see them all

Frequently asked questions

Ceven uses the Fly API token model to interact with your infrastructure. You provide a token with the necessary scopes for the actions you want the agent to perform. We store this token encrypted at rest and include it in the header of every GraphQL or REST request sent to the Fly API. You can rotate this token at any time from your Fly dashboard or via the CLI. If you delete the token, Ceven immediately loses access to your machines and apps. We recommend creating a dedicated token for Ceven with the minimum permissions required to manage your specific workflows to ensure maximum security.
Yes. You can build a workflow that uses the Create Check Job Run action to monitor your endpoints. If the response indicates a failure, the agent can then use the machine management tools to restart the affected instance or trigger a redeploy. Because Ceven has access to the GraphQL API, it can see the exact state of each machine across all regions. This allows the agent to make intelligent decisions, such as only restarting machines in a specific region if the failure is localized, rather than performing a global restart that could cause a total outage.
Ceven can manage your private network by adding or removing WireGuard peers. This is particularly useful for teams that need to dynamically grant access to internal services or connect external cloud resources to their Fly private network. The agent can automate the creation of delegated tokens and the addition of public keys to your organization. This removes the need for developers to manually edit network configurations via the CLI. You can set up a workflow where a request in a ticket system automatically triggers the agent to add a new peer to the Fly organization.
One important quirk is that the Fly API relies heavily on GraphQL for complex queries, which means some requests can be computationally expensive. Fly imposes rate limits on these API calls to ensure platform stability. If a Ceven workflow attempts to list thousands of machines across many organizations in a very short window, you may encounter rate limit errors. Ceven handles this by implementing an exponential backoff strategy, but for extremely large fleets, we recommend filtering your requests by region or app slug to reduce the payload size and stay within the API quotas.
Absolutely. The agent can call the Get Placements action to receive recommendations on the best regions for your machines based on resource requirements and volume constraints. You can build a workflow that analyzes current traffic patterns and then uses the placement data to suggest or execute a move to a more optimal region. This is especially useful for reducing latency for a global user base. The agent can compare the nearest region for various client locations and then automate the deployment of new machines to those specific areas to improve the end user experience.
Ceven does not maintain a persistent SSH connection to your machines. Instead, it uses the Issue Certificate action to generate short lived SSH certificates. When a workflow requires a secure connection for a specific task, the agent requests a certificate from Fly, uses it to authenticate, and then discards it. This follows the principle of least privilege and ensures that there are no long lived keys stored within the Ceven platform that could be compromised. All SSH activities are logged within your Fly organization audit trails for full visibility and compliance.
Ceven can read your billing state through the Get Personal Organization action. This allows the agent to monitor your credit balance and alert you when your funds are running low. While the agent can read this data to trigger notifications in Slack or email, it cannot independently add payment methods or change your billing tier for security reasons. You must handle actual payment updates through the Fly dashboard. However, you can automate the process of scaling down non critical machines when your budget reaches a certain threshold to prevent service interruption.
Yes. By using the Get Latest Image Tag action, Ceven can detect when a new image has been pushed to the Fly registry. You can create a workflow that polls for new tags and then triggers a deployment sequence. The agent can be configured to deploy the new version to a single staging machine first, run a health check, and then proceed with a rolling update across the rest of the fleet. This ensures that bad deployments are caught early and can be automatically rolled back by the agent if the health check fails.

Alternatives to Fly

Other tools that solve a similar problem. Ceven supports these too, so you can switch or run more than one at once.

DigitalOcean logoDigitalOceanRailway logoRailwayRender logoRender

Try Ceven on your stack

Plug Ceven on top of the tools you already run. Connect Fly and the rest of your stack, describe the outcome, and its agents handle the work end to end, days of it in minutes.

Get started for free