CORS on Backblaze B2

Backblaze B2’s CORS policy is set via the b2 CLI (or the equivalent S3 API call against the S3-compatible endpoint). The web dashboard exposes some CORS settings, but the CLI gives you finer control.

Install the b2 CLI

If you don’t have it yet:

# macOS via Homebrew
brew install b2-tools

# or via pip
pip install b2

# authenticate (one-time, uses your B2 application key)
b2 authorize-account YOUR_APP_KEY_ID YOUR_APP_KEY

Apply the policy

b2 update-bucket --cors-rules='[
  {
    "corsRuleName": "relyn-studio",
    "allowedOrigins": [
      "https://studio.relyn.app",
      "http://localhost:5173"
    ],
    "allowedHeaders": ["*"],
    "allowedOperations": [
      "s3_get",
      "s3_head",
      "s3_put",
      "s3_post",
      "s3_delete",
      "b2_download_file_by_name",
      "b2_download_file_by_id",
      "b2_upload_file"
    ],
    "exposeHeaders": ["etag"],
    "maxAgeSeconds": 3600
  }
]' YOUR_BUCKET_NAME allPrivate

Note: B2’s allowedOperations is more granular than AWS/R2’s AllowedMethods. The list above covers both the S3-compatible operations (s3_*) and the native B2 ones (b2_*) — including both keeps things working whichever endpoint you connected the bucket to from Relyn.

Verify

b2 get-bucket YOUR_BUCKET_NAME

Output should include the corsRules you just set.

Then in Relyn, open the bucket and click Diagnose.

S3 API alternative

If you connected the bucket via Backblaze’s S3-compatible endpoint, you can also use aws s3api put-bucket-cors against the S3 endpoint with the AWS-shaped JSON — same as the AWS or R2 examples in this section.

Further reading

• Backblaze: B2 CLI reference — official docs
• Backblaze: CORS in B2 — concept overview