AI Object Storage API
Manage organization-wide access policies, bucket settings, and access keys
Users with administrative permissions can interact with the CoreWeave AI Object Storage API using curl or any other HTTP client. The API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.
- The API server is
https://api.coreweave.com. - Replace
{API_ACCESS_TOKEN}in the examples below with your CoreWeave API access token.
Reference table
The following table lists all available endpoints in the CoreWeave AI Object Storage API, with links to detailed information about each endpoint.
| Endpoint | Method | Description |
|---|---|---|
/v1/cwobject/access-key | POST | Create an access key via a Cloud token. |
/v1/cwobject/access-policy | GET | List all Object Storage access policies in the organization. |
/v1/cwobject/access-policy | POST | Apply or update access policies. |
/v1/cwobject/access-policy | DELETE | Delete an access policy. |
/v1/cwobject/bucket/settings | PUT | Configure bucket settings that aren't exposed in the S3 API. |
/v1/cwobject/organization/settings | PUT | Configure settings related to your organization and CoreWeave AI Object Storage. |
/v1/cwobject/revoke-access-key/access-key | POST | Revoke a specific access key. |
/v1/cwobject/revoke-access-key/principal | POST | Revoke all access keys for a principal. |
/v1/cwobject/temporary-credentials/saml | POST | Generate temporary access keys for CoreWeave AI Object Storage access via a SAML assertion. |
Access key
The /v1/cwobject/access-key endpoint is used to generate temporary access keys via a Cloud token for CoreWeave AI Object Storage. These keys may be time-limited or permanent.
This endpoint supports the POST method.
POST /v1/cwobject/access-key
Use this endpoint to generate a permanent or time-limited access key for CoreWeave AI Object Storage access via a Cloud token.
Permanent access key
To create a permanent access key, set durationSeconds to 0 in the JSON object.
{"durationSeconds": 0}
Temporary access key
To create a temporary access key, specify the duration in seconds. The maximum duration of a temporary key is 43200 seconds (12 hours).
{"durationSeconds": 300}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the generated access key.
{"accessKeyID": "CWABCDEFGHIJKLMN","expiry": "1970-01-15T01:01:01Z","secretKey": "cwo1234567890abcdefghijklmnopqrstuvwxyz1234"}
Access policy
The /v1/cwobject/access-policy endpoint is used to manage organization-wide access policies for CoreWeave AI Object Storage. These policies define who can access the storage and what actions they can perform.
This endpoint supports GET, POST, and DELETE methods.
GET /v1/cwobject/access-policy
Use the GET method to list all Object Storage access policies in the organization.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all access policies.
{"policies": [{"version": "v1alpha1","name": "string","statements": [{"name": "string","effect": "Allow","actions": ["s3:CreateBucket"],"resources": ["string"],"principals": ["string"]}]}]}
POST /v1/cwobject/access-policy
Use the POST method to apply or update access policies.
Just as with bucket policies, CoreWeave supports all actions that take place inside access policies. However, within access policies we also support the following set of cwobject:* actions:
- cwobject:CreateAccessKey
- cwobject:CreateAccessKeySAML
- cwobject:RevokeAccessKeyByAccessKey
- cwobject:RevokeAccessKeysByPrincipal
- cwobject:EnsureAccessPolicy
- cwobject:DeleteAccessPolicy
- cwobject:ListAccessPolicy
- cwobject:EnableBucketAuditLogging
- cwobject:DisableBucketAuditLogging
- cwobject:EnableControlPlaneAuditLogging
- cwobject:DisableControlPlaneAuditLogging
- cwobject:EnableBucketAuditLoggingDefault
- cwobject:DisableBucketAuditLoggingDefault
Please note: cwobject actions must be used with “*" as the resource value.
Supply the policy as a JSON object in the request body.
For example, to allow all actions on all resources for all principals, save the following JSON object as data.json.
{"policy": {"version": "v1alpha1","name": "test-policy","statements": [{"name": "allow-everything","effect": "Allow","actions": ["*"],"resources": ["*"],"principals": ["*"]}]}}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
DELETE /v1/cwobject/access-policy/{policy-name}
The DELETE method is used to delete an access policy. Provide the {policy-name} to delete as shown.
$curl -X DELETE https://api.coreweave.com/v1/cwobject/access-policy/{policy-name} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns an empty object.
{}
Bucket settings
The /v1/cwobject/bucket/settings endpoint is used to configure bucket settings that aren't exposed in the S3 API.
This endpoint supports the PUT method.
PUT /v1/cwobject/bucket/settings
Supply the bucket settings as a JSON object in the request body.
For example, to enable audit logging for a bucket, save the following JSON object as data.json.
{"bucketName": "string","settings": {"auditLoggingEnabled": true}}
Submit the request, passing the JSON object in the body as data.json.
$curl -X PUT https://api.coreweave.com/v1/cwobject/bucket/settings \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the updated bucket settings.
{"settings": {"auditLoggingEnabled": true}}
Organization settings
The /v1/cwobject/organization/settings endpoint is used to configure settings related to your organization and CoreWeave AI Object Storage.
This endpoint supports the PUT method.
PUT /v1/cwobject/organization/settings
Supply the organization settings as a JSON object in the request body.
For example, to enable audit logging for the control plane and buckets, save the following JSON object as data.json.
{"settings": {"controlPlaneAuditLoggingEnabled": true,"bucketAuditLoggingEnabled": true}}
Submit the request, passing the JSON object in the body as data.json.
$curl -X PUT https://api.coreweave.com/v1/cwobject/organization/settings \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the updated organization settings.
{"settings": {"controlPlaneAuditLoggingEnabled": true,"bucketAuditLoggingEnabled": true}}
Revoke access keys
The following endpoints are used to revoke access keys for CoreWeave AI Object Storage. Keys can be removed individually, or all keys for a given principal can be revoked.
These endpoints support the POST method.
POST /v1/cwobject/revoke-access-key/access-key
Use this endpoint to revoke a specific access key.
For example, to delete the access key example-access-key, create the following JSON object as data.json.
{"accessKey": "example-access-key"}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
POST /v1/cwobject/revoke-access-key/principal
Use this endpoint to revoke all access keys for a principal.
For example, to delete all access keys for example-principal, create the following JSON object as data.json.
{"principalName": "example-principal"}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/principal \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
Temporary credentials
The /v1/cwobject/temporary-credentials endpoint is used to generate temporary access keys for CoreWeave AI Object Storage. These keys are time-limited.
This endpoint supports the POST method.
POST /v1/cwobject/temporary-credentials/saml
Use this endpoint to generate a time-limited access key for CoreWeave AI Object Storage access for an Org ID. The maximum lifespan of the key is 43200 seconds (12 hours).
samlResponse must be Base64-encoded.
For example, to generate temporary credentials with a 300-second lifespan and a SAML assertion from https://example.com/metadata/, create the following JSON object as data.json.
{"durationSeconds": 300,"ordId": "abc123","samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the generated credentials.
{"accessKeyID": "CWABCDEFGHIJKLMN","expiry": "1970-01-15T01:01:01Z","secretKey": "cwo1234567890abcdefghijklmnerkgnelrkwgnvwxyz1234"}