Concepts
Buckets
Named containers for your objects, with per-bucket settings.
A bucket is a named container for objects, scoped to your workspace. Bucket names are unique per workspace.
Visibility
private(default) — objects are only accessible via the API or signed URLs.public— objects can be served publicly.
await storage.buckets.create({ name: "avatars", visibility: "public" });
await storage.buckets.list();
await storage.buckets.get("avatars");
await storage.buckets.update("avatars", { visibility: "private" });
await storage.buckets.delete("avatars"); // must be emptyDeleting a bucket requires it to be empty. Use
batch-delete to clear it first.
Isolation
Behind the scenes, a bucket maps to an isolated key prefix
({tenant}/{bucket}/…) inside Vault's physical R2 pool. Objects in one workspace
can never be read from another — every request re-checks ownership.