You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/r2/api/tokens.mdx
+85-91Lines changed: 85 additions & 91 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,6 @@ title: Authentication
3
3
pcx_content_type: how-to
4
4
sidebar:
5
5
order: 2
6
-
7
6
---
8
7
9
8
You can generate an API token to serve as the Access Key for usage with existing S3-compatible SDKs or XML APIs.
@@ -13,38 +12,35 @@ You must purchase R2 before you can generate an API token.
13
12
To create an API token:
14
13
15
14
1. In **Account Home**, select **R2**.
16
-
2. Under **Account details**, select **Manage R2 API tokens**.
17
-
3. Select [**Create API token**](https://dash.cloudflare.com/?to=/:account/r2/api-tokens).
18
-
4. Select the **R2 Token** text to edit your API token name.
19
-
5. Under **Permissions**, choose a permission types for your token. Refer to [Permissions](#permissions) for information about each option.
20
-
6. (Optional) If you select the **Object Read and Write** or **Object Read** permissions, you can scope your token to a set of buckets.
21
-
7. Select **Create API Token**.
15
+
2. Under the **API** dropdown, select [**Manage API tokens**](https://dash.cloudflare.com/?to=/:account/r2/api-tokens).
16
+
3. Choose to create either:
17
+
-**Create Account API token** - These tokens are tied to the Cloudflare account itself and can be used by any authorized system or user. Only users with the Super Administrator role can view or create them. These tokens remain valid until manually revoked.
18
+
-**Create User API token** - These tokens are tied to your individual Cloudflare user. They inherit your personal permissions and become inactive if your user is removed from the account.
19
+
4. Under **Permissions**, choose a permission types for your token. Refer to [Permissions](#permissions) for information about each option.
20
+
5. (Optional) If you select the **Object Read and Write** or **Object Read** permissions, you can scope your token to a set of buckets.
21
+
6. Select **Create Account API token** or **Create User API token**.
22
22
23
23
After your token has been successfully created, review your **Secret Access Key** and **Access Key ID** values. These may often be referred to as Client Secret and Client ID, respectively.
24
24
25
25
:::caution
26
26
27
-
28
27
You will not be able to access your **Secret Access Key** again after this step. Copy and record both values to avoid losing them.
29
28
30
-
31
29
:::
32
30
33
31
You will also need to configure the `endpoint` in your S3 client to `https://<ACCOUNT_ID>.r2.cloudflarestorage.com`.
34
32
35
33
Find your [account ID in the Cloudflare dashboard](/fundamentals/setup/find-account-and-zone-ids/).
36
34
37
-
Buckets created with jurisdictions must be accessed via jurisdiction-specific `endpoint`s:
35
+
Buckets created with jurisdictions must be accessed via jurisdiction-specific endpoints:
38
36
39
-
* European Union (EU): `https://<ACCOUNT_ID>.eu.r2.cloudflarestorage.com`
Jurisdictional buckets can only be accessed via the corresponding jurisdictional endpoint. Most S3 clients will not let you configure multiple `endpoints`, so you'll generally have to initialize one client per jurisdiction.
46
43
47
-
48
44
:::
49
45
50
46
## Permissions
@@ -78,9 +74,9 @@ A specific bucket is represented as:
*`ACCOUNT_ID`: Refer to [Find zone and account IDs](/fundamentals/setup/find-account-and-zone-ids/#find-account-id-workers-and-pages).
82
-
*`JURISDICTION`: The [jurisdiction](/r2/reference/data-location/#available-jurisdictions) where the R2 bucket lives. For buckets not created in a specific jurisdiction this value will be `default`.
83
-
*`BUCKET_NAME`: The name of the bucket your Access Policy applies to.
77
+
-`ACCOUNT_ID`: Refer to [Find zone and account IDs](/fundamentals/setup/find-account-and-zone-ids/#find-account-id-workers-and-pages).
78
+
-`JURISDICTION`: The [jurisdiction](/r2/reference/data-location/#available-jurisdictions) where the R2 bucket lives. For buckets not created in a specific jurisdiction this value will be `default`.
79
+
-`BUCKET_NAME`: The name of the bucket your Access Policy applies to.
84
80
85
81
All buckets in an account are represented as:
86
82
@@ -90,97 +86,97 @@ All buckets in an account are represented as:
90
86
}
91
87
```
92
88
93
-
*`ACCOUNT_ID`: Refer to [Find zone and account IDs](/fundamentals/setup/find-account-and-zone-ids/#find-account-id-workers-and-pages).
89
+
-`ACCOUNT_ID`: Refer to [Find zone and account IDs](/fundamentals/setup/find-account-and-zone-ids/#find-account-id-workers-and-pages).
94
90
95
91
#### Permission groups
96
92
97
93
Determine what [permission groups](/fundamentals/api/how-to/create-via-api/#permission-groups) should be applied. There are four relevant permission groups for R2.
You can get the Access Key ID and Secret Access Key values from the response of the [Create Token](/api/resources/user/subresources/tokens/methods/create/) API:
181
177
182
-
* Access Key ID: The `id` of the API token.
183
-
* Secret Access Key: The SHA-256 hash of the API token `value`.
178
+
- Access Key ID: The `id` of the API token.
179
+
- Secret Access Key: The SHA-256 hash of the API token `value`.
184
180
185
181
Refer to [Authenticate against R2 API using auth tokens](/r2/examples/authenticate-r2-auth-tokens/) for a tutorial with JavaScript, Python, and Go examples.
The temporary access key cannot have a permission that is higher than the parent access key. e.g. if the parent key is set to `Object Read Write`, the temporary access key could only have `Object Read Write` or `Object Read Only` permissions.
0 commit comments