superfly · jbellerb · Jan 20, 2026 · Jan 19, 2026 · Jan 20, 2026
diff --git a/machines/api/machines-resource.html.markerb b/machines/api/machines-resource.html.markerb
@@ -1267,7 +1267,7 @@ You cannot change which volume a Machine is attached to by updating the Machine'
           - `headers`: ({"headers": {string:string}} (nil)) HTTP headers to set on responses.
           - `pristine`: bool (false) - If true, do not add any Fly.io headers to HTTP responses. The following response headers won’t be added and won’t be modified if returned by the app: `Server`, `Via`, `Fly-Request-Id`, `Fly-Cache-Status`.
       + `tls_options`:  Fiddly TLS options (if you don’t know you need to mess with these, you don’t need to), including:
-        - `alpn`: [string, string] ([]) : ALPN protocols to present TLS clients (for instance, [“h2”, “http/1.1”]).
+        - `alpn`: [string, string] ([]) : ALPN protocols to present TLS clients (for example, [“mqtt”]).
         - `default_self_signed`: bool (false) - If true, serve a self-signed certificate if no certificate exists.
         - `versions`: [string, string] ([]) : TLS versions to allow (for instance, [“TLSv1.2”, “TLSv1.3”]).
       + `proxy_proto_options`: Configure the version of the PROXY protocol that your app accepts. Version 1 is the default.

diff --git a/networking/services.html.markerb b/networking/services.html.markerb
@@ -178,9 +178,9 @@ Configuration examples in `fly.toml`:
 [[services]]
 ...
   [[services.ports]]
-    handlers = ["tls", "http"]
+    handlers = ["tls"]
     port = 443
-    tls_options = { "alpn" = ["h2", "http/1.1"], "versions" = ["TLSv1.2", "TLSv1.3"] }
+    tls_options = { "alpn" = ["mqtt"], "versions" = ["TLSv1.2", "TLSv1.3"] }
 ```
 
 ```toml

diff --git a/reference/configuration.html.markerb b/reference/configuration.html.markerb
@@ -719,13 +719,13 @@ Configure the TLS versions and ALPN protocols that Fly's edge will use to termin
 
 Fly.io can also terminate TLS only and pass through directly to your service. This works for a variety of applications that can benefit from offloading TLS termination and accept the unencrypted connection.
 
-One use case is applications using HTTP/2, like gRPC. Fly's edge terminates TLS and sends h2c (HTTP/2 without TLS) directly to your application through our backhaul. The config below will negotiate HTTP/2 with clients, and then send h2c to the application:
+One use case is transmitting messages over MQTT. Fly's edge terminates TLS and sends unencrypted MQTT directly to your application through our backhaul. The config below will negotiate MQTT over TLS with clients, and then send unencrypted MQTT to the application:
 
 ```toml
   [[services.ports]]
     handlers = ["tls"]
     port = 443
-    tls_options = { "alpn" = ["h2"] }
+    tls_options = { "alpn" = ["mqtt"] }
 ```
 
 ### `services.concurrency`