How were they authenticating against S3 before? Judging by that URL, it looks like they were issuing a ListObjects? Presigned URLs would work, but you'll have to keep regenerating & redistributing them as they expire. An alternative here could be deploying a simple Worker that can expose the HTTP endpoint you want (using the R2 binding's

.list()

method)