# Cloudflare R2

This guide walks you through creating a Cloudflare R2 API token and connecting your bucket to SimpleBackups — whether you're using R2 as a **backup destination** (storing backups in R2) or as a **backup source** (syncing data *from* R2).

## Which permission do I need?

Cloudflare offers four R2 token permission levels. Pick the one that matches how you'll use the bucket in SimpleBackups — least privilege is best.

| How you'll use R2 in SimpleBackups | Cloudflare permission to choose | Why |
| --- | --- | --- |
| **Backup destination** (store backups in R2) | `Object Read & Write` | SimpleBackups needs to upload, overwrite, and delete objects to apply your retention policy. |
| **Backup / Sync source** (copy data *from* R2) | `Object Read only` | We only need to list and read objects. |
| **Let SimpleBackups create the bucket for you** | `Admin Read & Write` | Required to create new buckets and edit bucket configuration. |

`Object Read & Write` and `Object Read only` can both be **scoped to specific buckets**, which we recommend. `Admin` permissions are account-wide and cannot be bucket-scoped.

> **Use an Account API token, not a User API token.** Account tokens are tied to your Cloudflare account and survive teammate changes. User tokens become inactive if the user who created them leaves the account — which will silently break your backups. See [Cloudflare's notes on token types](https://developers.cloudflare.com/r2/api/tokens/#account-api-tokens-vs-user-api-tokens).

## Step 1: Open R2 API Tokens

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/).
2. Click **R2** in the left sidebar, then **Overview**.
3. Click **Manage R2 API Tokens** (top right), then **Create API Token**.

![CloudFlare R2 screenshot 1](https://simplebackups.com/docs/docs-assets/media-helpkit-co/cc7704a608677399bd6a.png)

![CloudFlare R2 screenshot 2](https://simplebackups.com/docs/docs-assets/media-helpkit-co/4ebff3e09e34dbd3421d.png)

## Step 2: Configure the token

1. **Token name** — something descriptive, e.g. `simplebackups-prod-r2`.
2. **Permissions** — pick the level from the table above based on your use case.
3. **Specify bucket(s)** — for `Object` permissions, restrict the token to the bucket(s) you'll back up to/from.
4. **TTL** — leave as "Forever" unless you have a rotation policy in place.
5. (Optional) **Client IP Address Filtering** — leave empty; SimpleBackups uses a dynamic range of IPs.
6. Click **Create API Token**.

![CloudFlare R2 screenshot 3](https://simplebackups.com/docs/docs-assets/media-helpkit-co/4f260e7c8f23cb9380b0.png)

For the canonical screenshot-by-screenshot walkthrough of the Cloudflare UI, see [Cloudflare's "Authentication" docs](https://developers.cloudflare.com/r2/api/tokens/#create-api-tokens).

## Step 3: Copy your credentials

After creating the token, Cloudflare shows the credentials **only once**. Copy and paste them into SimpleBackups:

- **Access Key ID** — paste into **Key** in SimpleBackups.
- **Secret Access Key** — paste into **Secret** in SimpleBackups.
- **S3 API endpoint** — paste into **S3 API Endpoint** in SimpleBackups, with your bucket name appended:
  `https://<accountid>.r2.cloudflarestorage.com/<bucket-name>`

> **EU jurisdiction buckets:** if your bucket is in the EU jurisdiction, use `https://<accountid>.eu.r2.cloudflarestorage.com/<bucket-name>`. The default endpoint will not reach EU-jurisdiction buckets.

![CloudFlare R2 screenshot 4](https://simplebackups.com/docs/docs-assets/media-helpkit-co/ec170314bccff3eeded6.png)

![CloudFlare R2 screenshot 5](https://simplebackups.com/docs/docs-assets/media-helpkit-co/dbf283fa4fd513fd694b.png)

## Step 4: Connect R2 in SimpleBackups

In SimpleBackups, open the storage selector, click **Connect new Storage**, and choose **Cloudflare R2** as the provider.

![Selecting Cloudflare R2 as the storage provider in SimpleBackups](https://simplebackups.com/docs/docs-assets/simplebackups/cloudflare-r2-provider-dropdown.png)

Fill in the Cloudflare R2 storage form:

| SimpleBackups field | What to enter |
| --- | --- |
| **Key** | Cloudflare **Access Key ID** |
| **Secret** | Cloudflare **Secret Access Key** |
| **S3 API Endpoint** | Your R2 endpoint with the bucket name at the end, e.g. `https://<accountid>.r2.cloudflarestorage.com/<bucket-name>` |
| **Path** | Optional folder/prefix inside the bucket. Use `/` for the bucket root. |

![Cloudflare R2 storage form in SimpleBackups](https://simplebackups.com/docs/docs-assets/simplebackups/cloudflare-r2-storage-form.png)

## You're done

SimpleBackups will now be able to read from or write to your R2 bucket, depending on the permissions you granted. If a backup fails with an `AccessDenied` error, the most common cause is that the token was created with `Object Read only` but is being used as a destination — re-create it with `Object Read & Write`.
