Rotating R2 credentials

If your R2 access key leaked or you just want to rotate on a schedule:

• Open Files in the sidebar.
• In the Buckets column header, click the gear icon (manage credentials) — it sits next to the link and plus icons.
• In the R2 credentials modal, click Regenerate and confirm the prompt.

Under the hood Flarelink does a mint-then-revoke: a fresh keypair is minted via your Cloudflare API token, validated against R2, written to the project, and only then the previous Flarelink-managed token is revoked. The new accessKeyId + secretAccessKey are shown exactly once in a secret modal — copy them somewhere safe.

The new keys are also fanned out to every auth Worker on the project (their flarelink_config is updated and the Worker is pinged to reload), so server-side flarelink.storage.* calls switch over within a second.

• Pasted credentials (you brought your own R2 keypair instead of letting Flarelink mint one) only get Clear credentials — there's no Regenerate button. Revoke the old token in the Cloudflare dashboard, then re-open the modal and paste a new keypair.
• In-flight presigned URLs signed with the old keys will fail after the old token is revoked. Rotate during a quiet window if you have heavy traffic.
• If the dashboard reports any sync failures after rotation (a Worker couldn't be reload-pinged), give it 60s — the Worker's flarelink_config cache TTL flushes on its own.
• Clear credentials revokes the underlying CF token too when the keypair is Flarelink-minted. flarelink.storage.* calls will start returning R2_NOT_CONFIGURED until you regenerate or paste a new one.