Skip to main content

AI Object Storage API

Manage organization-wide access policies, bucket settings, and access keys

Users with administrative permissions can interact with the CoreWeave AI Object Storage API using curl or any other HTTP client. The API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.

Info
  • The API server is https://api.coreweave.com.
  • Replace {API_ACCESS_TOKEN} in the examples below with your CoreWeave API access token.

Summary

This table lists the available endpoints for the CoreWeave AI Object Storage API. Click an action for detailed information.

ActionMethodEndpointDescription
CreateAccessKeyFromJWTPOST/v1/cwobject/access-keyCreate an access key via a Cloud token.
ListAccessKeyInfoGET/v1/cwobject/access-keyList information about all access keys.
GetAccessKeyInfoGET/v1/cwobject/access-key/{accessKeyId}Get information about a specific access key.
ListAccessPoliciesGET/v1/cwobject/access-policyList all Object Storage access policies in the organization.
EnsureAccessPolicyPOST/v1/cwobject/access-policyApply or update access policies.
DeleteAccessPolicyDELETE/v1/cwobject/access-policy/{policy-name}Delete an access policy.
SetBucketSettingsPUT/v1/cwobject/bucket/settingsConfigure bucket settings that aren't exposed in the S3 API.
ListBucketInfoGET/v1/cwobject/bucket-infoList information about all buckets.
GetBucketInfoGET/v1/cwobject/bucket-info/{bucketName}Get information about a specific bucket.
SetOrganizationSettingsPUT/v1/cwobject/organization/settingsConfigure settings related to your organization and CoreWeave AI Object Storage.
RevokeAccessKeyByAccessKeyPOST/v1/cwobject/revoke-access-key/access-keyRevoke a specific access key.
RevokeAccessKeysByPrincipalPOST/v1/cwobject/revoke-access-key/principalRevoke all access keys for a principal.
CreateAccessKeyFromSAMLPOST/v1/cwobject/temporary-credentials/samlGenerate temporary access keys for CoreWeave AI Object Storage access via a SAML assertion.

CreateAccessKeyFromJWT

MethodEndpoint
POST/v1/cwobject/access-key

Generate an access key via a Cloud token. Access keys are time-limited or permanent, depending on the value of durationSeconds passed in the JSON object.

Important

The durationSeconds field is required.

To create a permanent access key, set durationSeconds to 0.

data.json
{
"durationSeconds": 0
}

To create a temporary access key, specify the duration in seconds.

data.json
{
"durationSeconds": 300
}

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X POST https://api.coreweave.com/v1/cwobject/access-key \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns the generated access key.

Response status code 200
{
"accessKeyID": "CWABCDEFGHIJKLMN",
"expiry": "1970-01-15T01:01:01Z",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"secretKey": "cwo1234567890abcdefghijklmnopqrstuvwxyz1234"
}

ListAccessKeyInfo

MethodEndpoint
GET/v1/cwobject/access-key

List information about all access keys.

Example request
$
curl -X GET https://api.coreweave.com/v1/cwobject/access-key \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}"

A successful response returns a list of all access keys and their details.

Response status code 200
{
"info": [
{
"accessKeyId": "CWABCDEFGHIJKLMN",
"status": "string",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"attributes": {
"property1": "string",
"property2": "string"
},
"expiry": "2019-08-24T14:15:22Z",
"orgId": "abc123"
}
]
}

GetAccessKeyInfo

MethodEndpoint
GET/v1/cwobject/access-key/{accessKeyId}

Get information about a specific access key. Provide the {accessKeyId} to retrieve as shown.

Example request
$
curl -X GET https://api.coreweave.com/v1/cwobject/access-key/{accessKeyId} \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}"

A successful response returns the details for the requested access key.

Response status code 200
{
"info": {
"accessKeyId": "CWABCDEFGHIJKLMN",
"status": "string",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"attributes": {
"property1": "string",
"property2": "string"
},
"expiry": "2019-08-24T14:15:22Z",
"orgId": "abc123"
}
}

ListAccessPolicies

MethodEndpoint
GET/v1/cwobject/access-policy

List all Object Storage access policies in the organization, which define who can access the storage and what actions they can perform.

Example request
$
curl -X GET https://api.coreweave.com/v1/cwobject/access-policy \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}"

A successful response returns a list of all access policies.

Response status code 200
{
"policies": [
{
"version": "v1alpha1",
"name": "string",
"statements": [
{
"name": "string",
"effect": "Allow",
"actions": [
"s3:CreateBucket"
],
"resources": [
"string"
],
"principals": [
"string"
]
}
]
}
]
}

EnsureAccessPolicy

MethodEndpoint
POST/v1/cwobject/access-policy

Apply or update access policies that define who can access the storage and what actions they can perform.

Learn more

Just as with bucket policies, CoreWeave supports all actions that take place inside access policies. However, within access policies we also support the following set of cwobject:* actions:

  • cwobject:CreateAccessKey
  • cwobject:CreateAccessKeySAML
  • cwobject:RevokeAccessKeyByAccessKey
  • cwobject:RevokeAccessKeysByPrincipal
  • cwobject:EnsureAccessPolicy
  • cwobject:DeleteAccessPolicy
  • cwobject:ListAccessPolicy
  • cwobject:EnableBucketAuditLogging
  • cwobject:DisableBucketAuditLogging
  • cwobject:EnableControlPlaneAuditLogging
  • cwobject:DisableControlPlaneAuditLogging
  • cwobject:EnableBucketAuditLoggingDefault
  • cwobject:DisableBucketAuditLoggingDefault

Please note: cwobject actions must be used with "*" as the resource value.

Supply the policy as a JSON object in the request body. To allow all actions on all resources for all principals, save the following JSON object as data.json.

data.json
{
"policy": {
"version": "v1alpha1",
"name": "test-policy",
"statements": [
{
"name": "allow-everything",
"effect": "Allow",
"actions": ["*"],
"resources": ["*"],
"principals": ["*"]
}
]
}
}

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns an empty object.

Response status code 200
{}

DeleteAccessPolicy

MethodEndpoint
DELETE/v1/cwobject/access-policy/{policy-name}

Delete an access policy. Provide the {policy-name} to delete as shown.

Example request
$
curl -X DELETE https://api.coreweave.com/v1/cwobject/access-policy/{policy-name} \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}"

A successful response returns an empty object.

Response status code 200
{}

SetBucketSettings

MethodEndpoint
PUT/v1/cwobject/bucket/settings

Configure bucket settings that aren't exposed in the S3 API. Supply the bucket settings as a JSON object in the request body. To enable audit logging for a bucket, save the following JSON object as data.json.

data.json
{
"bucketName": "string",
"settings": {
"auditLoggingEnabled": true
}
}

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X PUT https://api.coreweave.com/v1/cwobject/bucket/settings \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns the updated bucket settings.

Response status code 200
{
"settings": {
"auditLoggingEnabled": true
}
}

ListBucketInfo

MethodEndpoint
GET/v1/cwobject/bucket-info

List information about all buckets.

Example request
$
curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}"

A successful response returns a list of all buckets and their details.

Response status code 200
{
"info": [
{
"orgId": "abc123",
"name": "my-bucket",
"creationTime": "2019-08-24T14:15:22Z",
"settings": {
"auditLoggingEnabled": true
},
"location": "string",
"usage": [
{
"measurementType": 0,
"value": "string",
"valueHumanReadable": "string"
}
]
}
]
}

GetBucketInfo

MethodEndpoint
GET/v1/cwobject/bucket-info/{bucketName}

Get information about a specific bucket. Provide the {bucketName} to retrieve as shown.

Example request
$
curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info/{bucketName} \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}"

A successful response returns the details for the requested bucket.

Response status code 200
{
"info": {
"orgId": "abc123",
"name": "my-bucket",
"creationTime": "2019-08-24T14:15:22Z",
"settings": {
"auditLoggingEnabled": true
},
"location": "string",
"usage": [
{
"measurementType": 0,
"value": "string",
"valueHumanReadable": "string"
}
]
}
}

SetOrganizationSettings

MethodEndpoint
PUT/v1/cwobject/organization/settings

Configure settings related to your organization and CoreWeave AI Object Storage. Supply the organization settings as a JSON object in the request body. To enable audit logging for the control plane and buckets, save the following JSON object as data.json.

data.json
{
"settings": {
"controlPlaneAuditLoggingEnabled": true,
"bucketAuditLoggingEnabled": true
}
}

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X PUT https://api.coreweave.com/v1/cwobject/organization/settings \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns the updated organization settings.

Response status code 200
{
"settings": {
"controlPlaneAuditLoggingEnabled": true,
"bucketAuditLoggingEnabled": true
}
}

RevokeAccessKeyByAccessKey

MethodEndpoint
POST/v1/cwobject/revoke-access-key/access-key

Revoke a specific access key. To delete example-access-key create the following JSON object as data.json.

data,json
{
"accessKey": "example-access-key"
}

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/access-key \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns an empty object.

Response status code 200
{}

RevokeAccessKeysByPrincipal

MethodEndpoint
POST/v1/cwobject/revoke-access-key/principal

Revoke all access keys for a principal. To delete all access keys for coreweave/ueqXfgRCYGqptEXAMPLE1, create the following JSON object as data.json.

data.json
{
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1"
}

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/principal \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns an empty object.

Response status code 200
{}

CreateAccessKeyFromSAML

MethodEndpoint
POST/v1/cwobject/temporary-credentials/saml

Generate a time-limited access key for an Org ID. The maximum lifespan of the key is 43200 seconds (12 hours).

Important

samlResponse must be Base64-encoded.

To generate temporary credentials with a 300-second lifespan and a SAML assertion from https://example.com/metadata/, create the following JSON object as data.json. The lifespan of the key is set by durationSeconds. In order to regenerate this ephemeral key, the SAML assertion must be re-submitted after durationSeconds has elapsed.

data.json
{
"durationSeconds": 300,
"orgId": "abc123",
"configId": "<WORKLOAD_FEDERATION_CONFIG_ID>",
"samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"
}
Info

configId values are generated via the Cloud Console by creating a Workload Federation configuration. See How to: Configure Workload Identity Federation for Object Storage.

Submit the request, passing the JSON object in the body as data.json.

Example request
$
curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {API_ACCESS_TOKEN}" \
-d @data.json

A successful response returns the generated credentials, for example:

Response status code 200
{
"accessKeyID": "CWABCDEFGHIJKLMN",
"expiry": "1970-01-15T01:01:01Z",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"secretKey": "cwo1234567890abcdefghijklmnerkgnelrkwgnvwxyz1234"
}