How to create an R2 API Token via Cloudflare API

I need to be able to access an R2 bucket using an API token/secret. I would like to generate the token/secret via the Cloudflare API (specifically using a curl command). I have been unable to determine if this is possible, much less how to accomplish it.

I have looked through the docs and this was the closest thing that I could find, but I don’t know if it is what I need.

Any help would be greatly appreciated!

1 Like

I think you are on the right track here.

You could manually create one that you need (with the permissions) and then validate it using: Cloudflare API Documentation

Here are the list of Permissions which you would probably see in your entry: API token permissions · Cloudflare Fundamentals docs (search R2)

I hope this helps!

I appreciate your response!

I guess I am still unsure if this is what I need. I am trying to access a bucket via the S3 API so I need an access key id and a secret access key. I don’t see anywhere in the documentation how to obtain these using the Cloudflare API. Essentially I want to replace the steps outlined Authentication · Cloudflare R2 docs with a Cloudflare API call, but I think the docs that we both referenced are for tokens to access an account, not a bucket?

Alternatively, if I already have these credentials and they are scoped to a different bucket is it possible to re-scope them to have access to a new bucket via the Cloudflare API?

It looks like you can create a Temporary Access Token: Cloudflare API Documentation

To answer your second question, you might be able to update the scope of the existing token via the UI.

I see, thank you! The first part is exactly what I was after.

As for updating the scope, I do see where that can be accomplished via the UI, but I was wondering if there is a way to accomplish the same via the Cloudflare API.

1 Like

Can you share your use case? I will pass this feedback to the team

Sure! The team I work with has a Cloudflare account, but the lead does not want to share account credentials so I cannot access the UI. Instead I have a user token that should allow me to do everything I need via the Cloudflare API. In my case, I need to be able to create new R2 buckets, place data in them via Python scripts, and access that data via front ends (React and SvelteKit websites hosted on Cloudflare Pages). Right now I can create the R2 buckets, but I cannot R/W until I have the account owner re-scope my token via the UI to include the new bucket. This works, but it would be more convenient for me to be able to re-scope the token via the API.