AI Object Storage API
Manage organization-wide access policies, bucket settings, and access keys
Users with administrative permissions can interact with the CoreWeave AI Object Storage API using curl
or any other HTTP client. The API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.
- The API server is
https://api.coreweave.com
. - Replace
{API_ACCESS_TOKEN}
in the examples below with your CoreWeave API access token.
Summary
This table lists the available endpoints for the CoreWeave AI Object Storage API. Click an action for detailed information.
Action | Method | Endpoint | Description |
---|---|---|---|
CreateAccessKeyFromJWT | POST | /v1/cwobject/access-key | Create an access key via a Cloud token. |
ListAccessKeyInfo | GET | /v1/cwobject/access-key | List information about all access keys. |
GetAccessKeyInfo | GET | /v1/cwobject/access-key/{accessKeyId} | Get information about a specific access key. |
ListAccessPolicies | GET | /v1/cwobject/access-policy | List all Object Storage access policies in the organization. |
EnsureAccessPolicy | POST | /v1/cwobject/access-policy | Apply or update access policies. |
DeleteAccessPolicy | DELETE | /v1/cwobject/access-policy/{policy-name} | Delete an access policy. |
SetBucketSettings | PUT | /v1/cwobject/bucket/settings | Configure bucket settings that aren't exposed in the S3 API. |
ListBucketInfo | GET | /v1/cwobject/bucket-info | List information about all buckets. |
GetBucketInfo | GET | /v1/cwobject/bucket-info/{bucketName} | Get information about a specific bucket. |
SetOrganizationSettings | PUT | /v1/cwobject/organization/settings | Configure settings related to your organization and CoreWeave AI Object Storage. |
RevokeAccessKeyByAccessKey | POST | /v1/cwobject/revoke-access-key/access-key | Revoke a specific access key. |
RevokeAccessKeysByPrincipal | POST | /v1/cwobject/revoke-access-key/principal | Revoke all access keys for a principal. |
CreateAccessKeyFromSAML | POST | /v1/cwobject/temporary-credentials/saml | Generate temporary access keys for CoreWeave AI Object Storage access via a SAML assertion. |
CreateAccessKeyFromJWT
Method | Endpoint |
---|---|
POST | /v1/cwobject/access-key |
Generate an access key via a Cloud token. Access keys are time-limited or permanent, depending on the value of durationSeconds
passed in the JSON object.
The durationSeconds
field is required.
To create a permanent access key, set durationSeconds
to 0
.
{"durationSeconds": 0}
To create a temporary access key, specify the duration in seconds.
{"durationSeconds": 300}
Submit the request, passing the JSON object in the body as data.json
.
$curl -X POST https://api.coreweave.com/v1/cwobject/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the generated access key.
{"accessKeyID": "CWABCDEFGHIJKLMN","expiry": "1970-01-15T01:01:01Z","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","secretKey": "cwo1234567890abcdefghijklmnopqrstuvwxyz1234"}
ListAccessKeyInfo
Method | Endpoint |
---|---|
GET | /v1/cwobject/access-key |
List information about all access keys.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all access keys and their details.
{"info": [{"accessKeyId": "CWABCDEFGHIJKLMN","status": "string","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","attributes": {"property1": "string","property2": "string"},"expiry": "2019-08-24T14:15:22Z","orgId": "abc123"}]}
GetAccessKeyInfo
Method | Endpoint |
---|---|
GET | /v1/cwobject/access-key/{accessKeyId} |
Get information about a specific access key. Provide the {accessKeyId}
to retrieve as shown.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-key/{accessKeyId} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns the details for the requested access key.
{"info": {"accessKeyId": "CWABCDEFGHIJKLMN","status": "string","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","attributes": {"property1": "string","property2": "string"},"expiry": "2019-08-24T14:15:22Z","orgId": "abc123"}}
ListAccessPolicies
Method | Endpoint |
---|---|
GET | /v1/cwobject/access-policy |
List all Object Storage access policies in the organization, which define who can access the storage and what actions they can perform.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all access policies.
{"policies": [{"version": "v1alpha1","name": "string","statements": [{"name": "string","effect": "Allow","actions": ["s3:CreateBucket"],"resources": ["string"],"principals": ["string"]}]}]}
EnsureAccessPolicy
Method | Endpoint |
---|---|
POST | /v1/cwobject/access-policy |
Apply or update access policies that define who can access the storage and what actions they can perform.
Just as with bucket policies, CoreWeave supports all actions that take place inside access policies. However, within access policies we also support the following set of cwobject:*
actions:
cwobject:CreateAccessKey
cwobject:CreateAccessKeySAML
cwobject:RevokeAccessKeyByAccessKey
cwobject:RevokeAccessKeysByPrincipal
cwobject:EnsureAccessPolicy
cwobject:DeleteAccessPolicy
cwobject:ListAccessPolicy
cwobject:EnableBucketAuditLogging
cwobject:DisableBucketAuditLogging
cwobject:EnableControlPlaneAuditLogging
cwobject:DisableControlPlaneAuditLogging
cwobject:EnableBucketAuditLoggingDefault
cwobject:DisableBucketAuditLoggingDefault
Please note: cwobject
actions must be used with "*"
as the resource value.
Supply the policy as a JSON object in the request body. To allow all actions on all resources for all principals, save the following JSON object as data.json
.
{"policy": {"version": "v1alpha1","name": "test-policy","statements": [{"name": "allow-everything","effect": "Allow","actions": ["*"],"resources": ["*"],"principals": ["*"]}]}}
Submit the request, passing the JSON object in the body as data.json
.
$curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
DeleteAccessPolicy
Method | Endpoint |
---|---|
DELETE | /v1/cwobject/access-policy/{policy-name} |
Delete an access policy. Provide the {policy-name}
to delete as shown.
$curl -X DELETE https://api.coreweave.com/v1/cwobject/access-policy/{policy-name} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns an empty object.
{}
SetBucketSettings
Method | Endpoint |
---|---|
PUT | /v1/cwobject/bucket/settings |
Configure bucket settings that aren't exposed in the S3 API. Supply the bucket settings as a JSON object in the request body. To enable audit logging for a bucket, save the following JSON object as data.json
.
{"bucketName": "string","settings": {"auditLoggingEnabled": true}}
Submit the request, passing the JSON object in the body as data.json
.
$curl -X PUT https://api.coreweave.com/v1/cwobject/bucket/settings \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the updated bucket settings.
{"settings": {"auditLoggingEnabled": true}}
ListBucketInfo
Method | Endpoint |
---|---|
GET | /v1/cwobject/bucket-info |
List information about all buckets.
$curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all buckets and their details.
{"info": [{"orgId": "abc123","name": "my-bucket","creationTime": "2019-08-24T14:15:22Z","settings": {"auditLoggingEnabled": true},"location": "string","usage": [{"measurementType": 0,"value": "string","valueHumanReadable": "string"}]}]}
GetBucketInfo
Method | Endpoint |
---|---|
GET | /v1/cwobject/bucket-info/{bucketName} |
Get information about a specific bucket. Provide the {bucketName}
to retrieve as shown.
$curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info/{bucketName} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns the details for the requested bucket.
{"info": {"orgId": "abc123","name": "my-bucket","creationTime": "2019-08-24T14:15:22Z","settings": {"auditLoggingEnabled": true},"location": "string","usage": [{"measurementType": 0,"value": "string","valueHumanReadable": "string"}]}}
SetOrganizationSettings
Method | Endpoint |
---|---|
PUT | /v1/cwobject/organization/settings |
Configure settings related to your organization and CoreWeave AI Object Storage. Supply the organization settings as a JSON object in the request body. To enable audit logging for the control plane and buckets, save the following JSON object as data.json
.
{"settings": {"controlPlaneAuditLoggingEnabled": true,"bucketAuditLoggingEnabled": true}}
Submit the request, passing the JSON object in the body as data.json
.
$curl -X PUT https://api.coreweave.com/v1/cwobject/organization/settings \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the updated organization settings.
{"settings": {"controlPlaneAuditLoggingEnabled": true,"bucketAuditLoggingEnabled": true}}
RevokeAccessKeyByAccessKey
Method | Endpoint |
---|---|
POST | /v1/cwobject/revoke-access-key/access-key |
Revoke a specific access key. To delete example-access-key
create the following JSON object as data.json
.
{"accessKey": "example-access-key"}
Submit the request, passing the JSON object in the body as data.json
.
$curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
RevokeAccessKeysByPrincipal
Method | Endpoint |
---|---|
POST | /v1/cwobject/revoke-access-key/principal |
Revoke all access keys for a principal. To delete all access keys for coreweave/ueqXfgRCYGqptEXAMPLE1
, create the following JSON object as data.json
.
{"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1"}
Submit the request, passing the JSON object in the body as data.json
.
$curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/principal \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
CreateAccessKeyFromSAML
Method | Endpoint |
---|---|
POST | /v1/cwobject/temporary-credentials/saml |
Generate a time-limited access key for an Org ID. The maximum lifespan of the key is 43200 seconds (12 hours).
samlResponse
must be Base64-encoded.
To generate temporary credentials with a 300-second lifespan and a SAML assertion from https://example.com/metadata/
, create the following JSON object as data.json
. The lifespan of the key is set by durationSeconds
. In order to regenerate this ephemeral key, the SAML assertion must be re-submitted after durationSeconds
has elapsed.
{"durationSeconds": 300,"orgId": "abc123","configId": "<WORKLOAD_FEDERATION_CONFIG_ID>","samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"}
configId
values are generated via the Cloud Console by creating a Workload Federation configuration. See How to: Configure Workload Identity Federation for Object Storage.
Submit the request, passing the JSON object in the body as data.json
.
$curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the generated credentials, for example:
{"accessKeyID": "CWABCDEFGHIJKLMN","expiry": "1970-01-15T01:01:01Z","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","secretKey": "cwo1234567890abcdefghijklmnerkgnelrkwgnvwxyz1234"}