> ## Documentation Index > Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt > Use this file to discover all available pages before exploring further. # Fly.io Integration: Deploy & Manage Apps for Agents > Agents can deploy and manage applications, Machines, volumes, and secrets on Fly.io. API tokens are injected at the gateway. ## Overview OneCLI connects AI agents to Fly.io so they can deploy and manage applications, Machines, volumes, and secrets. The gateway injects your API token into requests automatically. ## Setup Generate a token from the [Fly.io dashboard](https://fly.io/dashboard) or run: ```bash theme={null} fly tokens create org ``` Open the OneCLI dashboard, go to **Connections** > **Fly.io**, and paste your API token. ## How it works 1. Your API token is encrypted and stored by OneCLI 2. When an agent sends a request to `api.machines.dev` or `api.fly.io`, the gateway intercepts it 3. The gateway injects the token as an `Authorization: Bearer` header 4. The request is forwarded to Fly.io Agents never see the raw token. ## What agents can do | Area | Examples | | ---------------- | -------------------------------------------- | | **Apps** | Create, list, and manage Fly applications | | **Machines** | Start, stop, and configure Fly Machines | | **Volumes** | Create and manage persistent storage volumes | | **Secrets** | Set and unset application secrets | | **Deployments** | Deploy new releases | | **Certificates** | Manage TLS certificates for custom domains | ## Use cases * Coding agents deploying applications after building * Infrastructure agents scaling Machines up or down * Monitoring agents checking application health * Agents managing secrets and environment variables ## Controlling access with rules Use OneCLI's [rules engine](/guides/rules) to restrict agent access. For example, block destructive operations like deleting apps or machines, or rate-limit deployments. Rules are evaluated before credential injection.