CORS policy for storage buckets
When you upload files in Relyn, the upload UI sends bytes directly from your
browser to your storage bucket using a presigned URL. The browser refuses to
do that across origins unless the bucket explicitly allows requests from
https://studio.relyn.app. That’s the CORS policy.
Without a CORS policy in place:
- Upload in the gallery fails with a generic network error
- Thumbnails, previews, and share-link downloads still work (those go server-side; only the direct browser-to-bucket transfer is affected)
When you connect a new bucket, Relyn attempts to apply a sensible CORS
policy automatically. If the API key you provided lacks PutBucketCors
permission — which is the safe, narrow default — the auto-attempt won’t
succeed and you’ll see a yellow CORS warning badge on the bucket.
This section walks you through applying the policy manually on each provider. It’s a one-time setup per bucket, and after the Diagnose button in Relyn confirms it’s in place, the warning clears for good.
Pick your provider
Section titled “Pick your provider”- Cloudflare R2 — dashboard, JSON policy editor
- Amazon S3 — AWS Console, JSON policy editor
- DigitalOcean Spaces — form-based UI in DO Cloud
- Backblaze B2 —
b2CLI command - OVH Object Storage — short overview + link to OVH’s docs
- Other S3-compatible providers — generic JSON + guidance
After you’ve applied it
Section titled “After you’ve applied it”Open the bucket in Relyn (Buckets → click the bucket → top of the page), click the Diagnose button. Relyn runs an OPTIONS preflight check against your bucket and confirms the policy works. No write to your bucket, no S3 permissions required — the preflight check is what the browser does before any real upload anyway.
If diagnostics still flag a CORS issue, double-check the Allowed Origins
in your policy include exactly https://studio.relyn.app (or your studio’s
own URL if you self-host).