From 20c9bca34a1a548d22d51b10098dcfbc6bbf8ba3 Mon Sep 17 00:00:00 2001 From: Julien Herr Date: Sat, 23 May 2026 17:50:04 +0200 Subject: [PATCH] docs(readme): note R2 permission needed for scoped deploy tokens Co-Authored-By: Claude Opus 4.7 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3a081f9..500999a 100644 --- a/README.md +++ b/README.md @@ -199,6 +199,8 @@ This feature is **optional**. If no R2 bucket is bound, attachments are silently npm run deploy ``` +> **Deploy token permission:** with an R2 binding, `wrangler deploy` verifies the bucket exists, so the deploy credentials need **Account → Workers R2 Storage** (Read or Edit) on top of the usual Workers Scripts permission. Local `npx wrangler login` already grants this; a **scoped API token** (e.g. the `CLOUDFLARE_API_TOKEN` used in GitHub Actions) does not by default — add the R2 permission at , otherwise the deploy fails with `Authentication error [code: 10000]` on `/r2/buckets/...`. + **Turning it off:** set `ATTACHMENTS_ENABLED = "false"` in `[vars]` to disable attachments even while the R2 bucket stays bound (useful to cap usage on a demo). Any other value (or leaving it unset) keeps the feature on whenever R2 is configured. Attachments are deleted from R2 automatically when the corresponding email is deleted from the admin UI, or when an email is dropped during feed size trimming.