A simple, secure Git LFS server for Cloudflare Workers using R2 for storage and JWT authentication for uploads.

• Public download: Anyone can download LFS objects.
• Authenticated upload: Only users with a valid JWT token (present in a KV store) can upload.
• Token management: Generate and revoke tokens via API endpoints.
• Git LFS Batch API: Supports LFS batch operations for upload/download metadata.
• CORS enabled: Ready for cross-origin requests.

Bind these to your Worker:

• LFS_ALLOWED_TOKENS: KV namespace for allowed tokens.
• LFS_JWT_SECRET: Secret key for signing JWT tokens.
  Generate with:
  node -e "console.log(require('crypto').randomBytes(64).toString('base64'));"
• LFS_BUCKET: R2 bucket for storing LFS objects.

• GET /lfs/objects/:oid
  Download an LFS object (public).
• PUT /lfs/objects/:oid
  Upload an LFS object (requires Bearer JWT).
• GET /generate
  Generate a JWT token (add it to KV manually).
• POST /revoke
  Revoke a JWT token.
• POST /objects/batch
  Git LFS Batch API (upload/download metadata).

• Tokens:
  Generate with /generate, add to KV, and use as Bearer tokens for uploads or a Basic token (guide below).
• Revocation:
  Remove from KV or use /revoke?key=<TOKEN> to block uploads with a token.
• Customization:
  Change REPO_URL, BUCKET_URL, and WORKER_URL constants as needed.

• Make sure you have Git LFS installed:

  git lfs install

  You only need to do this once per machine.

• (Optional) Track LFS files in your repo:

  git lfs track "*.blend"
  git add .gitattributes
  git commit -m "Track .blend files using Git LFS"

1. Create a .lfsconfig file in your Git repository:

[lfs]
url = https://lfs.playreia.com

or set it globally (sets it for every repository so maybe not unless that's all your user/system uses)

git config --global lfs.url https://lfs.playreia.com

2. (Optional if you want write access) Update your global config: git config --global --edit and set its access to basic

[lfs "https://lfs.playreia.com"]
	access = "basic"

type git lfs env and you should see Endpoint=https://lfs.playreia.com/objects/batch (auth=none) or (auth=basic) if you set your access.

You need a valid JWT token (from /generate and present in your KV store) for uploads.

Option 1: Use git credential approve Then paste this in there (make sure the change the JWT token):

protocol=https
host=lfs.playreia.com
username=whatever
password=YOUR_JWT_TOKEN_HERE

Option 2: Add to .netrc On Linux: ~/.netrc On Windows: %USERPROFILE%\.netrc

machine lfs.playreia.com
login whatever
password YOUR_JWT_TOKEN_HERE

• Push: When you push, Git LFS will use your server for uploads and require your JWT token.
• Pull/Clone: When you pull or clone, Git LFS will fetch objects from your server (no token required).

• 403/401 errors when uploading:
  Ensure your token is valid, not revoked, and properly stored in the credential helper or .netrc.
• "Object already exists" errors:
  Means the object (by hash) is already uploaded.
• Cannot push LFS objects:
  Double-check .lfsconfig URL and your credential setup.

• Git LFS Documentation
• Cloudflare Workers Docs
• Cloudflare R2 Docs

MIT License
Author: Quaint Studios, Kristopher Ali