1. Is a very important constraint. We cannot provide a read-only token to R2 given that we don´t know whether in the future we will have a private bucket. 2. Yes, I think this is the same Sid suggested, it might be a good alternative to avoid having to deal with presigned url expirations. Also, I think there´s a limitation while creating presigned urls on buckets rather than objects. Despite what the documentation says in https://developers.cloudflare.com/r2/api/s3/presigned-urls/ I am unable to presigned a url that´s at the root of the bucket > Bucket: For bucket-level operations (such as ListObjects, PutBucketCors) the identifier is the account ID, and bucket name.