--- title: Security layout: docs nav: firecracker toc: false --- Securing a public cloud platform like Fly.io is a hard problem, and we take it seriously. The Fly.io platform comes with built-in security like hardware isolation, [private networking](/docs/networking/private-networking/) over WireGuard, and [TLS termination](/docs/networking/services/#tls-handler). --- <figure class="flex justify-center"> <img src="/?originalUrl=https%3A%2F%2Ffly.io%2F%26quot%3B%2Fstatic%2Fimages%2Fsecurity.png%26quot%3B%2520alt%3D%26quot%3BIllustration%2520by%2520Annie%2520Ruygt%2520of%2520a%2520phoenix%2520jumping%2520with%2520a%2520motor%2520bike%26quot%3B%2520class%3D%26quot%3Bmax-w-lg%26quot%3B%26gt%3B%26lt%3B%2Ffigure%26gt%3B%23%23%2520Organization%2520and%2520app%2520security_Security%2520for%2520customer%2520organizations%2520and%2520apps._-%2520**%5BOrganization%2520Roles%2520and%2520Permissions%5D(%2Fdocs%2Fsecurity%2Forg-roles-permissions%2F)%3A**%2520Understand%2520what%2520Members%2520and%2520Admins%2520can%2520do%2520in%2520a%2520Fly.io%2520organization%2C%2520and%2520how%2520to%2520manage%2520access%2520safely.-%2520**%5BUse%2520SSO%2520for%2520organizations%5D(%2Fdocs%2Fsecurity%2Fsso%2F)%3A**%2520Set%2520up%2520org-wide%2520Single%2520Sign-on%2520with%2520Google%2520or%2520GitHub.-%2520**%5BRemove%2520a%2520member%2520from%2520an%2520organization%5D(%2Fdocs%2Fsecurity%2Fremove-org-member%2F)%3A**%2520Remove%2520a%2520user%2520from%2520an%2520organization%2520and%2520take%2520steps%2520to%2520help%2520keep%2520the%2520organization%2520secure.-%2520**%5BBuilt-in%2520TLS%2520termination%5D(%2Fdocs%2Fsecurity%2Ftls-termination%2F)%3A**%2520You%2520get%2520TLS%2520termination%2520by%2520default%2520for%2520your%2520web%2520apps.%23%23%23%23%2520Security%2520extensions_Security%2520add-ons%2520from%2520our%2520extension%2520partners._-%2520**%5BApplication%2520Security%2520by%2520Arcjet%5D(%2Fdocs%2Fsecurity%2Farcjet%2F)%3A**%2520Use%2520the%2520Arcjet%2520security%2520layer%2520to%2520protect%2520your%2520JavaScript%2520app%2520with%2520just%2520a%2520few%2520lines%2520of%2520code.%23%23%23%23%2520Tokens_Control%2520access%2520to%2520your%2520Fly.io%2520organizations%2C%2520apps%2C%2520and%2520Machines%2520with%2520tokens._-%2520**%5BAccess%2520tokens%5D(%2Fdocs%2Fsecurity%2Ftokens%2F)%3A**%2520Use%2520tokens%2520to%2520manage%2520access%2520to%2520organizations%2520and%2520apps.-%2520**%5BOpenID%2520Connect%5D(%2Fdocs%2Fsecurity%2Fopenid-connect%2F)%3A**%2520Use%2520OpenID%2520Connect%2520(OIDC)%2520to%2520manage%2520access%2520to%25203rd%2520party%2520services.---%23%23%2520Fly.io%2520platform%2520security_Fly.io%2520corporate%2520security%2C%2520compliance%2C%2520and%2520shared%2520responsibility._-%2520**%5BShared%2520responsibility%2520model%5D(%2Fdocs%2Fsecurity%2Fshared-responsibility%2F)%3A**%2520An%2520overview%2520of%2520the%2520separation%2520of%2520responsibilities%2520for%2520security%2520on%2520Fly.io.-%2520**%5BFly.io%2520security%2520practices%2520and%2520compliance%2520overview%5D(%2Fdocs%2Fsecurity%2Fsecurity-at-fly-io%2F)%3A**%2520Learn%2520about%2520our%2520security%2520practices%2520for%2520the%2520Fly.io%2520platform.---%23%23%2520Talk%2520to%2520the%2520security%2520teamIf%2520you%2520have%2520a%2520security%2520question%2C%2520concern%2C%2520or%2520believe%2520you%25E2%2580%2599ve%2520found%2520a%2520vulnerability%2520in%2520any%2520part%2520of%2520our%2520infrastructure%2C%2520please%2520contact%2520us.%2520You%2520can%2520reach%2520us%2520at%2520%5B**security%40fly.io**%5D(mailto%3Asecurity%40fly.io)%2C%2520and%2520we%2520can%2520provide%2520you%2520with%2520a%2520Signal%2520number%2520if%2520needed%2520to%2520convey%2520sensitive%2520information.%253C%2Fdiv">

Security

Securing a public cloud platform like Fly.io is a hard problem, and we take it seriously. The Fly.io platform comes with built-in security like hardware isolation, private networking over WireGuard, and TLS termination.

---

Organization and app security

Security for customer organizations and apps.

• Organization Roles and Permissions: Understand what Members and Admins can do in a Fly.io organization, and how to manage access safely.
• Use SSO for organizations: Set up org-wide Single Sign-on with Google or GitHub.
• Remove a member from an organization: Remove a user from an organization and take steps to help keep the organization secure.
• Built-in TLS termination: You get TLS termination by default for your web apps.

Security extensions

Security add-ons from our extension partners.

• Application Security by Arcjet: Use the Arcjet security layer to protect your JavaScript app with just a few lines of code.

Tokens

Control access to your Fly.io organizations, apps, and Machines with tokens.

• Access tokens: Use tokens to manage access to organizations and apps.
• OpenID Connect: Use OpenID Connect (OIDC) to manage access to 3rd party services.

---

Fly.io platform security

Fly.io corporate security, compliance, and shared responsibility.

• Shared responsibility model: An overview of the separation of responsibilities for security on Fly.io.
• Fly.io security practices and compliance overview: Learn about our security practices for the Fly.io platform.

---

Talk to the security team

If you have a security question, concern, or believe you’ve found a vulnerability in any part of our infrastructure, please contact us. You can reach us at security@fly.io, and we can provide you with a Signal number if needed to convey sensitive information.

Copy page as markdown or Open in ChatGPT

Report an issue or edit this page on GitHub