Cloudflare R2
Back up signed PDFs to Cloudflare R2 — S3-compatible storage with zero egress fees and automatic global distribution.
Requirements
Section titled “Requirements”- WPsigner 2.1.0+
- A Cloudflare account
- R2 enabled on your account
- API token with R2 read/write permissions
How It Works
Section titled “How It Works”When a signer completes a document, WPsigner automatically uploads the final PDF to your R2 bucket. The process follows the same S3-compatible flow used by all cloud storage integrations:
- Document signed — All required signers complete the document.
- PDF generated — WPsigner creates the final certified PDF.
- Upload triggered — The plugin sends the PDF to your R2 bucket using the S3
PutObjectoperation with AWS Signature V4 authentication against the R2 endpoint. - Confirmation stored — WPsigner records the remote URL and upload status in the document metadata.
Step 1: Create an R2 Bucket
Section titled “Step 1: Create an R2 Bucket”- Go to your Cloudflare Dashboard and select your account.
- Navigate to R2 in the left sidebar.
- Click Create bucket.
- Enter a bucket name (lowercase, no spaces). Example:
wpsigner-signed-docs. - Click Create bucket.
Step 2: Create API Tokens
Section titled “Step 2: Create API Tokens”- In the Cloudflare Dashboard, go to R2 → Manage R2 API Tokens.
- Click Create API token.
- Set permissions to Object Read & Write.
- Under Specify bucket(s), select the bucket you created or choose Apply to all buckets if you plan to use multiple buckets.
- Click Create API Token.
- Copy the Access Key ID and Secret Access Key immediately — the secret is shown only once.
Store these credentials in a secure location. If you lose the secret access key, you must revoke the token and create a new one.
Step 3: Find Your Account ID
Section titled “Step 3: Find Your Account ID”Your Cloudflare Account ID appears in the dashboard URL:
https://dash.cloudflare.com/{account-id}It is a 32-character hexadecimal string. You can also find it on the R2 overview page under Account ID.
Step 4: Configure WPsigner
Section titled “Step 4: Configure WPsigner”- Go to WPsigner → Integrations → Cloudflare R2 in your WordPress admin.
- Enter your Account ID (32-character hex string from Step 3).
- Enter the Access Key ID and Secret Access Key from Step 2.
- Enter the Bucket Name exactly as created in Step 1.
- Click Test Connection to verify credentials and bucket access.
- Once the test passes, click Save Settings.
Use Cases
Section titled “Use Cases”| Use Case | Description |
|---|---|
| Zero-cost downloads | Retrieve signed documents as often as needed without paying egress fees — ideal for client portals or frequent access. |
| Global distribution | Cloudflare’s CDN serves files from the nearest edge location, reducing download latency for international teams. |
| Regulatory compliance | Maintain off-server copies of signed documents for audit trails and retention policies. |
| Disaster recovery | Keep an independent backup of all signed PDFs in case of WordPress server failure. |
| Cost-effective archival | At $0.015/GB/month with a 10 GB free tier, R2 is well suited for small-to-medium document volumes. |
R2 vs S3 vs Wasabi
Section titled “R2 vs S3 vs Wasabi”| Feature | Cloudflare R2 | Amazon S3 | Wasabi |
|---|---|---|---|
| Egress Fees | $0 | $0.09/GB | $0 |
| Storage | $0.015/GB/mo | $0.023/GB/mo | $6.99/TB/mo |
| Free Tier | 10 GB | 5 GB (12mo) | None |
| Global CDN | Built-in | Extra (CloudFront) | No |
Security
Section titled “Security”Same security as Amazon S3: AWS Signature V4, AES-256-GCM encryption, rate limiting, nonce verification. Account ID is validated as 32-character hex.
Troubleshooting
Section titled “Troubleshooting”| Problem | Cause | Solution |
|---|---|---|
| Test connection fails with “InvalidAccessKeyId” | The access key ID is incorrect or the API token has been revoked. | Verify the token exists under R2 → Manage R2 API Tokens. Create a new token if needed. |
| Test connection fails with “SignatureDoesNotMatch” | The secret access key is incorrect or contains trailing whitespace. | Re-paste the secret key carefully, ensuring no extra spaces. |
| ”NoSuchBucket” error | The bucket name in WPsigner does not match an existing R2 bucket. | Check the exact bucket name in the Cloudflare Dashboard and re-enter it. |
| ”InvalidAccountId” or endpoint error | The Account ID is malformed or does not match a valid Cloudflare account. | Confirm the 32-character hex Account ID from your dashboard URL or the R2 overview page. |
| Uploads succeed but files are empty (0 bytes) | Server memory or execution time limits are too low to process large PDFs. | Increase memory_limit to at least 256M and max_execution_time to 120 in your php.ini. |
| Intermittent timeout errors | Network instability between your server and the Cloudflare endpoint. | Check your server’s outbound connectivity. R2 automatically routes to the nearest Cloudflare data center, so the issue is typically on the origin server side. |
Compatibility
Section titled “Compatibility”| Component | Minimum Version | Recommended |
|---|---|---|
| WPsigner | 2.1.0 | Latest |
| WordPress | 5.8 | 6.4+ |
| PHP | 7.4 | 8.1+ |
| cURL extension | Required | Latest |
| OpenSSL extension | Required | Latest |
Next Steps
Section titled “Next Steps”- Amazon S3 — Native AWS storage with the broadest region coverage.
- Wasabi — S3-compatible hot storage with no egress fees.
- Google Drive — Sync signed documents to your Google Workspace.
- Dropbox — Automatic backups to your Dropbox account.