Skip to main content

July 7, 2025 - Unmanaged auth API

Unmanaged auth API is now available

Update APIs New Kubernetes API endpoint for unmanaged auth is now available in CKS, enabling custom authentication workflows.

Kubernetes API endpoint for unmanaged auth

A new Kubernetes API endpoint for unmanaged authentication is now available in CKS, streamlining OIDC, Service Account, and Webhook authentication workflows for public CKS clusters. Prior to this release, customers were required to first use CoreWeave-managed authentication to provision their own endpoint to support these unmanaged authentication workflows.

Managed Auth vs. unmanaged auth

Managed Auth

The managed authentication endpoint follows the format https://<Org ID>-<Cluster Hash>.k8s.<Zone>.coreweave.com and can be found on the Cluster Status page of the CoreWeave Cloud Console by clicking Copy public address.

The Managed Auth service handles user authentication and authorization only for user identities in the CoreWeave Cloud Console. It does not support Kubernetes Service Account tokens, OIDC access tokens, or anonymous API server URIs.

Info

Kubeconfigs for CKS clusters that are generated by the CoreWeave Cloud Console use the Managed Auth endpoint by default.

Unmanaged auth

The new unmanaged authentication endpoint is available at https://api.<Org ID>-<Cluster Hash>.k8s.<Zone>.coreweave.com. You can create this URL by adding the api. prefix after clicking Copy public address on the Cluster Status page.

Unmanaged authentication allows users to authenticate with the Kubernetes API using Kubernetes Service Account Tokens, OIDC access tokens, or anonymous API server URIs. This endpoint is intended for users who prefer to manage their own authentication and authorization mechanisms. Kubeconfigs and access tokens generated by the CoreWeave Cloud Console for CKS clusters are not supported by this endpoint.

Deprecated endpoint

CKS clusters previously offered an undocumented unmanaged authentication endpoint at https://api.<orgId>-<clusterName>.k8s.<zone>.coreweave.com. This endpoint is now deprecated.

Use cases

This endpoint streamlines several authentication scenarios:

  • OIDC authentication: Integrate standard OIDC IdPs for authentication to your CKS clusters
  • Service Account authentication: Use Kubernetes Service Account tokens to authenticate with your CKS clusters
  • Custom authentication providers: Integrate with enterprise identity systems not supported by standard OIDC
  • Multi-factor authentication: Implement custom MFA workflows

Migration considerations

This is an additive change, introducing a new endpoint for CKS clusters that can be used to support authentication strategies that aren't supported by the managed authentication endpoint. Customers who previously configured their own custom endpoints for unmanaged authentication can continue to use those. This change introduces no incompatibilities with existing workflows.

Configuration

Unmanaged auth can be configured on existing clusters without requiring cluster recreation.

To configure unmanaged auth:

  1. Deploy your authentication webhook: Host your custom authentication service that implements the Kubernetes authentication webhook interface
  2. Configure the webhook in CKS: Use the CKS API to configure the authentication webhook endpoint
  3. Test the integration: Verify that your custom authentication workflow functions correctly
Learn more

For detailed API reference information, see CKS API Reference.

Support

For questions about the unmanaged authentication endpoint, contact CoreWeave Support.

Additional resources