[Workers, R2] Add permissions access docs

[dinasaur404]

Summary

Adds Developer Platform permissions documentation for the overview model, Workers role scopes, and R2 access options.

This is the first subset of authorization docs; additional product pages will be added in follow-up commits.

Screenshots (optional)

Documentation checklist

• The change adheres to the documentation style guide.
• If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/docs/workers/	@cloudflare/workers-docs, @GregBrimble, @irvinebroque, @mikenomitch, @korinne, @WalshyDev, @cloudflare/deploy-config, @cloudflare/product-owners, @cloudflare/wrangler, @MattieTK, @cloudflare/dev-plat-leads, @vy-ton

[ask-bonk]

Review summary

This PR adds three new pages under /workers/authorization/ that document Developer Platform permissions, Workers role scopes, and R2 access options. This is a solid first subset for authorization docs.

What changes:

• Overview (index.mdx): Explains the three-level scope model (platform, product, resource) and the four role tiers.
• Workers (workers.mdx): Details Workers-specific roles, scopes, Wrangler permission requirements, legacy permission mappings, Pages API token roles, bindings, and limitations.
• R2 (r2.mdx): Covers R2 member roles, R2 API tokens, and account API token permission groups for storage, data catalog, and SQL.

Issues flagged:

1. Broken link to a non-existent Durable Objects permissions page.
2. Trailing slashes after URL anchors in three places on the Workers page.
3. Descriptions on the R2 and Workers pages are shorter than the style guide recommends (50–160 characters).
4. R2 page title could be more descriptive for consistency.

Please address the broken link and description lengths before merging. The trailing-slash and title items are quick fixes.

[ask-bonk]

The description is 37 characters. The style guide recommends 50–160 characters for SEO and clarity. Consider expanding this to explain what actions the page covers (e.g., viewing, deploying, and managing Workers roles and scopes).

[ask-bonk]

Remove the trailing slash after the anchor fragment. The correct format is /fundamentals/manage-members/scope/#specific-domains (trailing slash on the path, not after the fragment).

[ask-bonk]

Remove the trailing slash after the anchor fragment: /fundamentals/manage-members/scope/#specific-domains.

[ask-bonk]

Remove the trailing slash after the anchor fragment: /fundamentals/manage-members/scope/#specific-domains.

[ask-bonk]

This links to /workers/authorization/durable-objects/, which does not exist yet. Since this PR is described as the "first subset" and follow-ups will add additional pages, this link will be broken. Consider removing this bullet or replacing it with plain text (e.g., "Durable Objects permissions and access — coming soon") until the page is added.

[ask-bonk]

Consider a more descriptive title for consistency with the Workers page, such as R2 permissions and access.

[ask-bonk]

The description is only 26 characters. The style guide recommends 50–160 characters. Consider expanding to describe what access models and token types the page covers.

[ask-bonk]

I've completed the review of PR #31672.

Labels applied

• documentation
• content:new

What the PR changes

This PR introduces three new pages under /workers/authorization/ as the first subset of Developer Platform authorization docs:

• index.mdx — Overview of the three-level scope model (platform, product, resource) and four role tiers (Metadata Read-Only, Content Read-Only, Editor, Admin).
• workers.mdx — Workers-specific roles, scopes, Wrangler command permissions, legacy permission mappings, Pages API token roles, bindings behavior, and limitations.
• r2.mdx — R2 member/User Group roles, R2 API tokens, and account API token permission groups (Storage, Data Catalog, SQL).

Issues flagged

• Broken link — workers.mdx links to /workers/authorization/durable-objects/, which does not exist yet.
• Trailing slashes after anchors — Three links in workers.mdx use /#specific-domains/ instead of /#specific-domains.
• Short descriptions — r2.mdx (26 chars) and workers.mdx (37 chars) are below the recommended 50–160 character range.
• Title consistency — r2.mdx title is just "R2"; should probably be "R2 permissions and access" to match the Workers page.

Review posted

A review with inline comments has been posted to PR #31672:

• Overall review: View review
• Inline comments: 7 specific line-level suggestions covering the issues above.

github run

[dinasaur404]

/bonk can you make updates to address feedback?

[ask-bonk]

Done! I've addressed all the feedback from the review on PR #31672. Here's what was changed:

workers.mdx

• Expanded description from 37 characters to ~96 characters.
• Fixed three trailing slashes after anchor fragments on lines referencing #specific-domains.
• Fixed two broken Durable Objects links:
  • In Limitations: removed the link to the non-existent page and kept it as plain text.
  • In Related resources: replaced the link with "Durable Objects permissions and access — coming soon".

r2.mdx

• Updated title from "R2" to "R2 permissions and access" for consistency.
• Expanded description from 26 characters to ~103 characters.

github run

[github-actions]

Preview URL: https://e5d69d22.preview.developers.cloudflare.com
Preview Branch URL: https://workers-permissions-access.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/workers/authorization/workers/	https://workers-permissions-access.preview.developers.cloudflare.com/workers/authorization/workers/
https://developers.cloudflare.com/workers/authorization/	https://workers-permissions-access.preview.developers.cloudflare.com/workers/authorization/
https://developers.cloudflare.com/workers/authorization/r2/	https://workers-permissions-access.preview.developers.cloudflare.com/workers/authorization/r2/

[irvinebroque]

Suggested change

	These legacy permissions are being replaced by the new Workers roles. There is no deprecation date right now. Existing permissions continue to work, and customers will receive advance notice before any deprecation.
	When granting access, you should use the new Workers roles above, and you should not use the legacy permissions below. While these legacy permissions continue to work, and they will be deprecated in the future. There is currently not a deprecation date, and customers will receive advance notice before any deprecation.

to be explicit re: "you should use"

[irvinebroque]

Should this be part of R2 docs instead? And if we need it to be discoverable, link to there?

[irvinebroque]

active voice

[irvinebroque]

is there a title that more loudly and explicitly signals something like "How to grant access to only some Workers"

[irvinebroque]

should there be something in wrangler docs section about? or link to here?

[irvinebroque]

Deeplink to relevant part of dash will help people and agents here too

[irvinebroque]

How do I Terraform this? Can I do any of this via the API?