July 7, 2025 - Unmanaged auth API
Unmanaged auth API is now available
Update APIs New Kubernetes API endpoint for unmanaged auth is now available in CKS, enabling custom authentication workflows.
Kubernetes API endpoint for unmanaged auth
A new Kubernetes API endpoint for unmanaged authentication is now available in CKS, streamlining OIDC, Service Account, and Webhook authentication workflows for public CKS clusters. Prior to this release, customers were required to first use CoreWeave-managed authentication to provision their own endpoint to support these unmanaged authentication workflows.
Managed Auth vs. unmanaged auth
Managed Auth
The managed authentication endpoint follows the format https://<Org ID>-<Cluster Hash>.k8s.<Zone>.coreweave.com and can be found on the Cluster Status page of the CoreWeave Cloud Console by clicking Copy public address.
The Managed Auth service handles user authentication and authorization only for user identities in the CoreWeave Cloud Console. It does not support Kubernetes Service Account tokens, OIDC access tokens, or anonymous API server URIs.
Kubeconfigs for CKS clusters that are generated by the CoreWeave Cloud Console use the Managed Auth endpoint by default.
Unmanaged auth
The new unmanaged authentication endpoint is available at https://api.<Org ID>-<Cluster Hash>.k8s.<Zone>.coreweave.com. You can create this URL by adding the api. prefix after clicking Copy public address on the Cluster Status page.
Unmanaged authentication allows users to authenticate with the Kubernetes API using Kubernetes Service Account Tokens, OIDC access tokens, or anonymous API server URIs. This endpoint is intended for users who prefer to manage their own authentication and authorization mechanisms. Kubeconfigs and access tokens generated by the CoreWeave Cloud Console for CKS clusters are not supported by this endpoint.
CKS clusters previously offered an undocumented unmanaged authentication endpoint at https://api.<orgId>-<clusterName>.k8s.<zone>.coreweave.com. This endpoint is now deprecated.
Use cases
This endpoint streamlines several authentication scenarios:
- OIDC authentication: Integrate standard OIDC IdPs for authentication to your CKS clusters
- Service Account authentication: Use Kubernetes Service Account tokens to authenticate with your CKS clusters
- Custom authentication providers: Integrate with enterprise identity systems not supported by standard OIDC
- Multi-factor authentication: Implement custom MFA workflows
Migration considerations
This is an additive change, introducing a new endpoint for CKS clusters that can be used to support authentication strategies that aren't supported by the managed authentication endpoint. Customers who previously configured their own custom endpoints for unmanaged authentication can continue to use those. This change introduces no incompatibilities with existing workflows.
Configuration
Unmanaged auth can be configured on existing clusters without requiring cluster recreation.
To configure unmanaged auth:
- Deploy your authentication webhook: Host your custom authentication service that implements the Kubernetes authentication webhook interface
- Configure the webhook in CKS: Use the CKS API to configure the authentication webhook endpoint
- Test the integration: Verify that your custom authentication workflow functions correctly
For detailed API reference information, see CKS API Reference.
Support
For questions about the unmanaged authentication endpoint, contact CoreWeave Support.