Vault
Concepts

Buckets

Named containers for your objects, with per-bucket settings.

A bucket is a named container for objects, scoped to your workspace. Bucket names are unique per workspace.

Visibility

  • private (default) — objects are only accessible via the API or signed URLs.
  • public — objects can be served publicly.
await storage.buckets.create({ name: "avatars", visibility: "public" });
await storage.buckets.list();
await storage.buckets.get("avatars");
await storage.buckets.update("avatars", { visibility: "private" });
await storage.buckets.delete("avatars"); // must be empty

Deleting a bucket requires it to be empty. Use batch-delete to clear it first.

Isolation

Behind the scenes, a bucket maps to an isolated key prefix ({tenant}/{bucket}/…) inside Vault's physical R2 pool. Objects in one workspace can never be read from another — every request re-checks ownership.

On this page