BYOS Configuration

Before you can stream, connect a storage bucket you control. Nlarj supports Cloudflare R2 (recommended), AWS S3, and Google Cloud Storage.

Why Cloudflare R2 is recommended

Provider	Egress cost	10 GB storage/month
Cloudflare R2	$0	~$0.15
AWS S3	$0.09/GB	~$0.23
Google Cloud Storage	$0.12/GB	~$0.20

For a church streaming a weekly Sunday service to 100 members, Cloudflare R2 typically costs under $1/month total because egress (viewer downloads) is free.

What you'll enter in the app

The BYOS configuration screen in Church Admin asks for:

Field	Required	Example
Storage Provider	Yes	AWS S3 / Cloudflare R2 / Google GCS
Bucket Name	Yes	my-church-media
Region	No	auto (R2) or us-east-1 (S3)
Endpoint URL	No (R2 needs it)	https://xxx.r2.cloudflarestorage.com
Public CDN URL	No	https://cdn.yourchurch.com
Access Key ID	Yes	From your provider's API key
Secret Access Key	Yes	Matching secret from your provider

After filling these in, click Test Connection. If green ✓, click Save Configuration.

Set up Cloudflare R2

1. Sign up for Cloudflare at cloudflare.com (free)

2. Enable R2 — Dashboard → R2 → Enable (requires credit card, but the free tier covers most small churches)

3. Create a bucket:

   • Name: your-church-streaming (all lowercase, hyphens allowed, no underscores)
   • Location: Automatic

4. Create an API token:

   • R2 → Manage R2 API Tokens → Create API Token
   • Permission: Object Read & Write
   • Specify bucket: select the bucket you just created
   • Copy the Access Key ID and Secret Access Key — you'll need both

5. Find your Endpoint URL:

   • R2 → your bucket → Settings → S3 API
   • Copy the URL shown (looks like https://<account-id>.r2.cloudflarestorage.com)

6. Set CORS policy on the bucket so browser-based members can play streams — R2 → bucket → Settings → CORS policy:

   [
     {
       "AllowedOrigins": ["*"],
       "AllowedMethods": ["GET", "PUT", "HEAD"],
       "AllowedHeaders": ["*"],
       "ExposeHeaders": ["ETag", "Content-Length", "Content-Type"],
       "MaxAgeSeconds": 3000
     }
   ]

   Why "*" is safe here

   Access to your bucket is already gated by presigned URLs — short-lived signed URLs generated by your own cloud account. The signature is the authorization; the browser origin is not the gatekeeper. Using "*" for the origin only allows browsers to attempt a request; the R2 signature check still rejects anything unauthorized.

   If you prefer stricter origin control, replace "*" with ["https://www.nlarj.app", "https://nlarj.app"].

In Church Admin:

• Storage Provider: Cloudflare R2
• Bucket Name: the bucket you created
• Region: auto
• Endpoint URL: from Step 5
• Access Key ID / Secret: from Step 4

Set up AWS S3

1. IAM → Users → Add user with programmatic access
2. Attach policy: AmazonS3FullAccess (or a tighter bucket-scoped policy in production)
3. Copy the Access Key ID and Secret Access Key
4. Create a bucket in your chosen region with Block Public Access: ON
5. Set the same CORS policy as shown above
6. In Church Admin:
   • Storage Provider: AWS S3
   • Bucket Name: your bucket
   • Region: the bucket's region (e.g., us-east-1, ap-south-1)
   • Endpoint URL: leave blank (AWS uses standard endpoints)
   • Access Key ID / Secret: from step 3

Set up Google Cloud Storage

1. Create a bucket in the Google Cloud Console with appropriate region
2. Enable S3-compatible HMAC keys:
   • Cloud Storage → Settings → Interoperability → Create a key for a service account
   • Copy the Access Key and Secret
3. Set the same CORS policy on the bucket (gsutil or Console)
4. In Church Admin:
   • Storage Provider: Google GCS
   • Bucket Name: your bucket
   • Region: auto or the bucket's region
   • Endpoint URL: https://storage.googleapis.com
   • Access Key ID / Secret: from step 2

Keep credentials secure

Your keys are encrypted at rest before storage. But never commit them to git, paste them in chat, or share in screenshots.

Public CDN URL (optional)

If you've put your storage bucket behind a custom CDN (e.g., Cloudflare workers, CloudFront), paste its URL in the Public CDN URL field. Member video playback will go through your CDN for faster delivery.

If you skip this, members play directly from your bucket using presigned URLs — works fine but may be slower for viewers far from your bucket region.

Verify it's working

After saving, test with a short stream:

1. Click Test Connection in Storage Settings — should show ✓
2. Start a brief live stream from OBS
3. Check your bucket — video files should appear within 10 seconds
4. Stop the stream — the complete recording stays in your bucket

If no files appear, credentials are wrong. Re-check in Storage Settings.

Cost monitoring

Set a monthly spend alert on your cloud provider:

• Cloudflare R2 — Billing → Usage alerts → $5 threshold
• AWS S3 — CloudWatch billing alarm → $5 threshold
• Google Cloud — Billing → Budgets & alerts → $5 threshold

This protects you from runaway costs if something misconfigures (stuck upload loop, compromised key, etc.).

Troubleshooting

Test Connection fails — double-check Access Key / Secret / Endpoint URL. Region must match the bucket's region for S3.

Files uploading but members can't play — CORS isn't set. Re-apply the CORS JSON above.

"Bucket not found" — Check spelling; bucket names are case-sensitive in most providers.

See Stream Issues for playback problems after BYOS is set up.