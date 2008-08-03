You can generate an API token to serve as the Access Key for usage with existing S3-compatible SDKs or XML APIs.

You must purchase R2 before you can generate an API token.

To create an API token:

In Account Home, select R2. Under the API dropdown, select Manage API tokens ↗ . Choose to create either: Create Account API token - These tokens are tied to the Cloudflare account itself and can be used by any authorized system or user. Only users with the Super Administrator role can view or create them. These tokens remain valid until manually revoked.

- These tokens are tied to the Cloudflare account itself and can be used by any authorized system or user. Only users with the Super Administrator role can view or create them. These tokens remain valid until manually revoked. Create User API token - These tokens are tied to your individual Cloudflare user. They inherit your personal permissions and become inactive if your user is removed from the account. Under Permissions, choose a permission types for your token. Refer to Permissions for information about each option. (Optional) If you select the Object Read and Write or Object Read permissions, you can scope your token to a set of buckets. Select Create Account API token or Create User API token.

After your token has been successfully created, review your Secret Access Key and Access Key ID values. These may often be referred to as Client Secret and Client ID, respectively.

Warning You will not be able to access your Secret Access Key again after this step. Copy and record both values to avoid losing them.

You will also need to configure the endpoint in your S3 client to https://<ACCOUNT_ID>.r2.cloudflarestorage.com .

Find your account ID in the Cloudflare dashboard.

Buckets created with jurisdictions must be accessed via jurisdiction-specific endpoints:

European Union (EU): https://<ACCOUNT_ID>.eu.r2.cloudflarestorage.com

FedRAMP: https://<ACCOUNT_ID>.fedramp.r2.cloudflarestorage.com

Warning Jurisdictional buckets can only be accessed via the corresponding jurisdictional endpoint. Most S3 clients will not let you configure multiple endpoints , so you'll generally have to initialize one client per jurisdiction.

Permissions

Permission Description Admin Read & Write Allows the ability to create, list and delete buckets, and edit bucket configurations in addition to list, write, and read object access. Admin Read only Allows the ability to list buckets and view bucket configuration in addition to list and read object access. Object Read & Write Allows the ability to read, write, and list objects in specific buckets. Object Read only Allows the ability to read and list objects in specific buckets.

Create API tokens via API

You can create API tokens via the API and use them to generate corresponding Access Key ID and Secret Access Key values. To get started, refer to Create API tokens via the API. Below are the specifics for R2.

Access Policy

An Access Policy specifies what resources the token can access and the permissions it has.

Resources

There are two relevant resource types for R2: Account and Bucket . For more information on the Account resource type, refer to Account.

Bucket

Include a set of R2 buckets or all buckets in an account.

A specific bucket is represented as:

"com.cloudflare.edge.r2.bucket.<ACCOUNT_ID>_<JURISDICTION>_<BUCKET_NAME>" : "*"

ACCOUNT_ID : Refer to Find zone and account IDs.

: Refer to Find zone and account IDs. JURISDICTION : The jurisdiction where the R2 bucket lives. For buckets not created in a specific jurisdiction this value will be default .

: The jurisdiction where the R2 bucket lives. For buckets not created in a specific jurisdiction this value will be . BUCKET_NAME : The name of the bucket your Access Policy applies to.

All buckets in an account are represented as:

"com.cloudflare.api.account.<ACCOUNT_ID>" : { " com.cloudflare.edge.r2.bucket.* " : "*" }

Permission groups

Determine what permission groups should be applied. There are four relevant permission groups for R2.

Permission group Resource Permission Workers R2 Storage Write Account Admin Read & Write Workers R2 Storage Read Account Admin Read only Workers R2 Storage Bucket Item Write Bucket Object Read & Write Workers R2 Storage Bucket Item Read Bucket Object Read only

Example Access Policy

[ { " id " : "f267e341f3dd4697bd3b9f71dd96247f" , " effect " : "allow" , " resources " : { " com.cloudflare.edge.r2.bucket.4793d734c0b8e484dfc37ec392b5fa8a_default_my-bucket " : "*" , " com.cloudflare.edge.r2.bucket.4793d734c0b8e484dfc37ec392b5fa8a_eu_my-eu-bucket " : "*" }, " permission_groups " : [ { " id " : "6a018a9f2fc74eb6b293b0c548f38b39" , " name " : "Workers R2 Storage Bucket Item Read" } ] } ]

Get S3 API credentials from an API token

You can get the Access Key ID and Secret Access Key values from the response of the Create Token API:

Access Key ID: The id of the API token.

of the API token. Secret Access Key: The SHA-256 hash of the API token value .

Refer to Authenticate against R2 API using auth tokens for a tutorial with JavaScript, Python, and Go examples.

Temporary access credentials

If you need to create temporary credentials for a bucket or a prefix/object within a bucket, you can use the temp-access-credentials endpoint in the API. You will need an existing R2 token to pass in as the parent access key id. You can use the credentials from the API result for an S3-compatible request by setting the credential variables like so:

AWS_ACCESS_KEY_ID = <accessKeyId> AWS_SECRET_ACCESS_KEY = <secretAccessKey> AWS_SESSION_TOKEN = <sessionToken>