Storage Updates & Release Notes

You can now receive event notifications for Artifacts repository changes and consume them from a Worker to build commit-driven automation.

This allows you to:

• Run custom workflows when a repository is created or imported
• Kick off a build and deploy a change when an agent pushes to a repo
• Trigger a review agent on every push

Available events include:

• Account-level events (artifacts source) — repo.created, repo.deleted, repo.forked, repo.imported
• Repository-level events (artifacts.repo source) — pushed, cloned, fetched

To learn more, refer to Artifacts documentation.

Starting 2026-05-18, support for the deprecated, legacy wrangler dev --remote flag has been removed for KV-backed Durable Objects and will return an error. The --remote flag was never supported with the recommended SQLite storage backend for Durable Objects.

For all Durable Objects, continue to use wrangler dev for local development and testing.

During local development if you need to access remote resources running on Cloudflare's network, refer to Using remote resources with Durable Objects and Workflows.

R2 Data Catalog is a managed Apache Iceberg data catalog built directly into your R2 bucket that allows you to connect query engines like R2 SQL, Spark, Snowflake, and DuckDB to your data in R2.

You can now query analytics for your R2 Data Catalog warehouses via Cloudflare's GraphQL Analytics API. Two new datasets are available:

• r2CatalogDataOperationsAdaptiveGroups tracks Iceberg REST API requests made to your catalog, including operation type, request duration, HTTP status, and request body bytes. Use this to monitor request volume and latency across warehouses, namespaces, and tables.
• r2CatalogTableMaintenanceAdaptiveGroups tracks table maintenance jobs such as compaction and snapshot expiration. Use this to monitor job success rates, files processed, bytes read and written, and job duration.

Both datasets support filtering by warehouse name, namespace, table name, and time range. They also include percentile aggregations for duration metrics.

For detailed schema information and example queries, refer to the R2 Data Catalog metrics and analytics documentation.

You can now empty an entire R2 bucket or delete folders directly from the dashboard. Emptying a bucket is required before you can delete it. Previously, this required scripting or configuring lifecycle rules. Now, the dashboard can handle it in a single action.

Empty a bucket

Go to your bucket's Settings tab and select Empty under the Empty Bucket section. This deletes all objects in the bucket while preserving the bucket and its configuration. For large buckets, the operation runs in the background and the dashboard displays progress.

Emptying a bucket is also a prerequisite for deleting it. The dashboard now guides you through both steps in one place.

Delete folders

R2 uses a flat object structure. The dashboard groups objects that share a common prefix into folders when the View prefixes as directories checkbox is selected. Deleting a folder removes every object under that prefix.

From the Objects tab, you can select one or more folders and delete them alongside individual objects.

For step-by-step instructions, refer to Delete buckets and Delete objects.

You can now connect Hyperdrive to a private database through a Workers VPC service. This is the recommended way to connect Hyperdrive to a private database that is not exposed to the public Internet.

When creating a Hyperdrive configuration in the Cloudflare dashboard, choose Connect to private database and then Workers VPC. From there, you can select an existing VPC service or create a new one inline by picking a Cloudflare Tunnel and entering your origin host and TCP port.

You can also create a Hyperdrive configuration backed by a Workers VPC service from the command line:

npx wrangler hyperdrive create my-vpc-database \
  --service-id <YOUR_VPC_SERVICE_ID> \
  --database <DATABASE_NAME> \
  --user <DATABASE_USER> \
  --password <DATABASE_PASSWORD> \
  --scheme postgresql

Workers VPC services are reusable across Hyperdrive configurations and can also be bound directly to Workers, so you can share the same private connection across multiple products.

To get started, refer to Connect Hyperdrive to a private database using Workers VPC.

Queues, Cloudflare's managed message queue, now exposes realtime backlog metrics via the dashboard, REST API, and JavaScript API. Three new fields are available:

• backlog_count — the number of unacknowledged messages in the queue
• backlog_bytes — the total size of those messages in bytes
• oldest_message_timestamp_ms — the timestamp of the oldest unacknowledged message

The following endpoints also now include a metadata.metrics object on the result field after successful message consumption:

• /accounts/{account_id}/queues/{queue_id}/messages/pull
• /accounts/{account_id}/queues/{queue_id}/messages
• /accounts/{account_id}/queues/{queue_id}/messages/batch

Javascript APIs

Call env.QUEUE.metrics() to get realtime backlog metrics:

const {
  backlogCount,
  backlogBytes,
  oldestMessageTimestamp,
} = await env.QUEUE.metrics();

env.QUEUE.send() and env.QUEUE.sendBatch() also now return a metrics object on the response.

You can also query these fields via the GraphQL Analytics API or view realtime backlog on the dashboard.

For more information, refer to Queues metrics.

R2 Data Catalog, a managed Apache Iceberg ↗ catalog built into R2, now removes unreferenced data files during automatic snapshot expiration. This improvement reduces storage costs and eliminates the need to run manual maintenance jobs to reclaim space from deleted data.

Previously, snapshot expiration only cleaned up Iceberg metadata files such as manifests and manifest lists. Data files that were no longer referenced by active snapshots remained in R2 storage until you manually ran remove_orphan_files or expire_snapshots through an engine like Spark. This required extra operational overhead and left stale data files consuming storage.

Snapshot expiration now handles both metadata and data file cleanup automatically. When a snapshot is expired, any data files that are no longer referenced by retained snapshots are removed from R2 storage.

Enable catalog-level snapshot expiration

npx wrangler r2 bucket catalog snapshot-expiration enable my-bucket \
--older-than-days 7 \
--retain-last 10

To learn more about snapshot expiration and other automatic maintenance operations, refer to the table maintenance documentation.

Hyperdrive now supports custom TLS/SSL certificates for MySQL databases, bringing the same certificate options previously available for PostgreSQL to MySQL connections.

You can now configure:

• Server certificate verification with VERIFY_CA or VERIFY_IDENTITY SSL modes to verify that your MySQL database server's certificate is signed by the expected certificate authority (CA).
• Client certificates (mTLS) for Hyperdrive to authenticate itself to your MySQL database with credentials beyond username and password.

Create a Hyperdrive configuration with custom certificates for MySQL

# Upload a CA certificate
npx wrangler cert upload certificate-authority --ca-cert your-ca-cert.pem --name your-custom-ca-name

# Create a Hyperdrive with VERIFY_IDENTITY mode
npx wrangler hyperdrive create your-hyperdrive-config \
  --connection-string="mysql://user:password@hostname:port/database" \
  --ca-certificate-id <CA_CERT_ID> \
  --sslmode VERIFY_IDENTITY

For more information, refer to SSL/TLS certificates for Hyperdrive and MySQL TLS/SSL modes.

Cloudflare Workflows allows you to configure specific retry logic for each step in your workflow execution. Now, you can access which retry attempt is currently executing for calls to step.do():

await
step.do(
  "my-step",
  async (ctx) => {
    // ctx.attempt is 1 on first try, 2 on first retry, etc.
    console.log(`Attempt ${ctx.attempt}`);
  }
);

You can use the step context for improved logging & observability, progressive backoff, or conditional logic in your workflow definition.

Note that the current attempt number is 1-indexed. For more information on retry behavior, refer to Sleeping and Retrying.

Region filtering

All location-aware pages now support filtering by region, including continents, geographic subregions (Middle East, Eastern Asia, etc.), political regions (EU, African Union), and US Census regions/divisions (for example, New England, US Northeast).

Traffic volume by top autonomous systems and locations

A new traffic volume view shows the top autonomous systems and countries/territories for a given location. This is useful for quickly determining which network providers in a location may be experiencing connectivity issues, or how traffic is distributed across a region.

The new AS and location dimensions have also been added to the Data Explorer for the HTTP, DNS, and NetFlows datasets. Combined with other available filters, this provides a powerful tool for generating unique insights.

Finally, breadcrumb navigation is now available on most pages, allowing easier navigation between parent and related pages.

Check out these features on Cloudflare Radar.

Browser Rendering REST API rate limits

Browser Rendering REST API rate limits for Workers Paid plans have been increased from 3 requests per second (180/min) to 10 requests per second (600/min). No action is needed to benefit from the higher limit.

The REST API lets you perform common browser tasks with a single API call, and you can now do it at a higher rate.

Available endpoints

• /content - Fetch HTML
• /screenshot - Capture screenshot
• /pdf - Render PDF
• /markdown - Extract Markdown from a webpage
• /snapshot - Take a webpage snapshot
• /scrape - Scrape HTML elements
• /json - Capture structured data using AI
• /links - Retrieve links from a webpage

If you use the Workers Bindings method, increases to concurrent browser and new browser limits are coming soon. Stay tuned.

For full details, refer to the Browser Rendering limits page.

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.
Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.
This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.

Key capabilities

• Identity-aware proxy traffic — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
• Multiple identity providers — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.
• Cloudflare-hosted PAC files — Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com// on Cloudflare's global network.
• Simplified billing — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.

Get started

• 1. In Cloudflare One ↗ Cloudflare One ↗, go to Networks > Resolvers & Proxies > Proxy endpoints.
• 1. Create an authorization proxy endpoint and configure Access policies.
• 1. Create a hosted PAC file or write your own.
• 1. Configure browsers to use the PAC file URL.
• 1. Install the Cloudflare certificate for HTTPS inspection.

For more details, refer to the proxy endpoints documentation and the announcement blog post ↗ announcement blog post ↗.

Release notes

Each Workflow on Workers Paid now supports 10,000 steps by default, configurable up to 25,000 steps in your wrangler.jsonc file:

{
  "workflows": [
    {
      "name": "my-workflow",
      "binding": "MY_WORKFLOW",
      "class_name": "MyWorkflow",
      "limits": {
        "steps": 25000
      }
    }
  ]
}

Previously, each instance was limited to 1,024 steps. Now, Workflows can support more complex, long-running executions without the additional complexity of recursive or child workflow calls.

Note that the maximum persisted state limit per Workflow instance remains 100 MB for Workers Free and 1 GB for Workers Paid. Refer to Workflows limits for more information.