Configuring Cloudflare R2 with quickS3
Cloudflare R2 is S3-compatible object storage with simple pricing. Create an R2 token, connect it to quickS3, and use auto CORS so browser uploads work.
Cloudflare R2 is S3-compatible object storage with deliberately simple pricing, and the headline feature is that it doesn’t charge for egress. Because it speaks the S3 API, you connect it to quickS3 the same way you’d connect AWS S3: an access key, secret key, endpoint, and bucket name.
Why Cloudflare R2?
The big draw is no egress fees, which makes the bill predictable in a way S3 often isn’t, especially for anything serving a lot of downloads. On top of that it’s a normal S3 endpoint, so standard S3 tooling and SDKs work, and it pairs well with presigned URLs and browser uploads once CORS is set.
Prerequisites
Before you start, make sure you have:
- A Cloudflare account with R2 enabled
- An R2 bucket (or create one in Step 1)
- Somewhere to store your Secret Access Key, since you can only view it once
Step 1: Create an R2 bucket
- Log in to the Cloudflare dashboard
- Go to R2 (R2 Object Storage)
- Click Create bucket
- Pick a bucket name (lowercase, no spaces is safest)
Step 2: Create an R2 S3 API token (Access Key + Secret Key)
Cloudflare R2 uses R2 API tokens as S3 credentials.
-
In the Cloudflare dashboard, go to R2 → Manage R2 API tokens
-
Create a token (either Account API token or User API token)
-
Under Permissions, pick the smallest permission that works for you:
- Admin Read & Write: bucket management plus full object access (only use if you truly need it)
- Admin Read only: list buckets, view bucket configuration, and read/list objects (useful if you need visibility across buckets)
- Object Read & Write (recommended): read, write, and list objects, and you can scope it to specific buckets
- Object Read only: read and list objects, and you can scope it to specific buckets
If you choose an Object permission, you will not be able to list buckets via the API. In that case quickS3 can’t discover buckets for you, so you’ll need to type the bucket names manually in quickS3’s provider connection form.
-
If you chose Object Read & Write or Object Read only, scope it to your bucket(s)
-
Leave Client IP Address Filtering empty (unless you have a known static outbound IP you want to restrict to). Setting this incorrectly can stop quickS3 from using the token.
-
Create the token and copy both values:
- Access Key ID
- Secret Access Key (you will not be able to view this again)
Step 3: Find your R2 S3 endpoint (and region)
R2’s S3 endpoint is based on your Cloudflare Account ID:
- Endpoint:
https://<<ACCOUNT_ID>>.r2.cloudflarestorage.com
For most S3 clients, the bucket region is:
- Region:
auto
If a tool won’t accept auto, Cloudflare notes that a blank region (or us-east-1) usually aliases to auto for compatibility.
If you created a jurisdictional bucket, you must use the matching endpoint:
- EU buckets:
https://<<ACCOUNT_ID>>.eu.r2.cloudflarestorage.com - FedRAMP buckets:
https://<<ACCOUNT_ID>>.fedramp.r2.cloudflarestorage.com
Step 4: Connect Cloudflare R2 to quickS3
- In quickS3, go to Storage Providers
- Click Add Provider → Cloudflare R2
- Fill in:
- Endpoint:
https://<<ACCOUNT_ID>>.r2.cloudflarestorage.com(or jurisdiction endpoint) - Region:
auto(orus-east-1if needed) - Bucket scopes (optional): leave blank to list all buckets the token can access, or enter a comma-separated list of bucket names
- Access Key ID / Secret Access Key: from Step 2
- Endpoint:
- Leave Allow quickS3 to update bucket CORS settings (recommended) on. When you save or test the connection, quickS3 adds the quicks3.com origin to your R2 bucket’s CORS policy so browser uploads work. You usually don’t need to configure CORS manually.
Once saved, quickS3 should be able to list objects right away, assuming your token is scoped correctly.
Optional: Configure CORS manually
If you turn off CORS auto-update or prefer to manage CORS yourself, you can set it in the Cloudflare dashboard or with Wrangler.
In the Cloudflare dashboard:
- In the Cloudflare dashboard, open R2 and select your bucket
- Go to Settings
- Under CORS Policy, click Add CORS policy
- In the JSON tab, paste a policy like this (adjust origins as needed):
[
{
"AllowedOrigins": ["https://quicks3.com"],
"AllowedMethods": ["GET", "PUT", "HEAD", "DELETE"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["ETag"],
"MaxAgeSeconds": 3600
}
]
Origins must match exactly (no path, no trailing slash). In rare cases, CORS changes can take up to ~30 seconds to propagate.
Or with npx wrangler:
- Install / run Wrangler and log in:
npx wrangler login
- Create a
cors.jsonfile (example below).
{
"rules": [
{
"allowed": {
"origins": ["https://quicks3.com"],
"methods": ["GET", "PUT", "HEAD", "DELETE"]
}
}
]
}
- Apply the CORS policy to your bucket:
npx wrangler r2 bucket cors set <<BUCKET_NAME>> --file cors.json
- Verify what’s currently set:
npx wrangler r2 bucket cors list <<BUCKET_NAME>>
Troubleshooting
Access denied / signature errors
- Confirm you’re using the correct endpoint for your bucket’s jurisdiction (default vs EU vs FedRAMP)
- Confirm the token has Object Read & Write (or at least the permissions you need)
- If the token is bucket-scoped, make sure your bucket is included
Browser says “CORS policy blocked”
- Make sure
AllowedOriginsincludes the exact origin the browser is running on - If you’re testing locally, add
http://localhost:<port>as an additional allowed origin - Make sure
AllowedHeadersincludes any headers your request is sending (["*"]is easiest to start with)
Ready to try it? Sign up for quickS3 and connect your Cloudflare R2 bucket.
Read next
Configuring Backblaze B2 with quickS3
Connect Backblaze B2 to quickS3 for secure team access to S3-compatible storage. Set up buckets, CORS, and browser uploads in minutes.
Getting Started with AWS S3 and quickS3
Connect AWS S3 to quickS3 for secure team file access without IAM complexity. Configure buckets, roles, and browser uploads in minutes.
Using Wasabi with quickS3 for Cost-Effective Storage
Wasabi offers no egress fees and flat-rate pricing. Connect Wasabi to quickS3 for secure team access, browser uploads, and predictable storage costs.