Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

With an access token, you can interact with the CoreWeave AI Object Storage API using curl or any other HTTP client. The AI Object Storage API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.
CoreWeave AI Object Storage is an S3-compatible object storage solution with two APIs.
  • The S3-compatible API is used for operations like uploading objects.
  • The AI Object Storage API is used for tasks outside the S3-compatible API command set, like creating access keys from SAML assertions.

Summary

This table lists the available endpoints for the CoreWeave AI Object Storage API. Click an action for detailed information.
  • The API server is https://api.coreweave.com.
  • Replace [API-ACCESS-TOKEN] in the examples below with your CoreWeave API access token.
ActionMethodEndpointDescription
AuthCanIPOST/v1/cwobject/auth/can-iCheck whether the current user is allowed to perform a set of actions on a set of resources.
CreateAccessKeyFromJWTPOST/v1/cwobject/access-keyCreate an access key via a Cloud token.
ListAccessKeyInfoGET/v1/cwobject/access-keyList information about all access keys.
GetAccessKeyInfoGET/v1/cwobject/access-key/[ACCESS-KEY-ID]Get information about a specific access key.
ListAccessPoliciesGET/v1/cwobject/access-policyList all Object Storage access policies in the organization.
EnsureAccessPolicyPOST/v1/cwobject/access-policyApply or update access policies.
DeleteAccessPolicyDELETE/v1/cwobject/access-policy/[POLICY-NAME]Delete an access policy.
SetBucketSettingsPUT/v1/cwobject/bucket/settingsConfigure bucket settings that aren’t exposed in the S3 API.
ListBucketInfoGET/v1/cwobject/bucket-infoList information about all buckets.
GetBucketInfoGET/v1/cwobject/bucket-info/[BUCKET-NAME]Get information about a specific bucket.
SetOrganizationSettingsPUT/v1/cwobject/organization/settingsConfigure settings related to your organization and CoreWeave AI Object Storage.
RevokeAccessKeyByAccessKeyPOST/v1/cwobject/revoke-access-key/access-keyRevoke a specific access key.
RevokeAccessKeysByPrincipalPOST/v1/cwobject/revoke-access-key/principalRevoke all access keys for a principal.
CreateAccessKeyFromSAMLPOST/v1/cwobject/temporary-credentials/samlGenerate temporary access keys for CoreWeave AI Object Storage access via a SAML assertion.

AuthCanI

MethodEndpoint
POST/v1/cwobject/auth/can-i
Check whether the current user is allowed to perform a set of actions on a set of resources. Both actions and resources are required. The endpoint returns a single verdict that is true only if the user is allowed to perform all listed actions on all listed resources. Supply the actions and resources as a JSON object in the request body. To check whether you can list buckets and list access keys on all resources, save the following JSON object as data.json.
data.json
{
  "actions": ["cwobject:ListBucketInfo", "cwobject:ListAccessKeyInfo"],
  "resources": ["*"]
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/auth/can-i \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
     -d @data.json
A successful response returns a single boolean verdict.
Response status code 200
{
  "verdict": true
}

CreateAccessKeyFromJWT

MethodEndpoint
POST/v1/cwobject/access-key
Generate an access key via a Cloud token. Access keys are time-limited or permanent, depending on the value of durationSeconds passed in the JSON object.
The durationSeconds field is required.
To create a permanent access key, set durationSeconds to 0, and give the key a name.
data.json
{
  "durationSeconds": 0,
  "attributes": {
    "name": "permanent-key"
  }
}
To create a temporary access key, specify the duration in seconds, and give the key a name.
data.json
{
  "durationSeconds": 300,
  "attributes": {
    "name": "temporary-key"
  }
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/access-key \
     -H "Content-Type: application/json" \
        -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
        -d @data.json
A successful response returns the generated access key.
Response status code 200

{
    "accessKeyID": "CWABCDEFGHIJKLMN",
    "expiry": "1970-01-15T01:01:01Z",
    "principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
    "secretKey": "cwo1234567890abcdefghijklmnopqrstuvwxyz1234"
}

ListAccessKeyInfo

MethodEndpoint
GET/v1/cwobject/access-key
List information about all access keys.
Example request
curl -X GET https://api.coreweave.com/v1/cwobject/access-key \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [API-ACCESS-TOKEN]"
A successful response returns a list of all access keys and their details.
Response status code 200
{
  "info": [
    {
      "accessKeyId": "CWABCDEFGHIJKLMN",
      "status": "string",
      "principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
      "attributes": {
        "property1": "string",
        "property2": "string"
      },
      "expiry": "2019-08-24T14:15:22Z",
      "orgId": "abc123"
    }
  ]
}

GetAccessKeyInfo

MethodEndpoint
GET/v1/cwobject/access-key/[ACCESS-KEY-ID]
Get information about a specific access key. Provide the [ACCESS-KEY-ID] to retrieve as shown.
Example request
curl -X GET https://api.coreweave.com/v1/cwobject/access-key/[ACCESS-KEY-ID] \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]"
A successful response returns the details for the requested access key.
Response status code 200
{
  "info": {
    "accessKeyId": "CWABCDEFGHIJKLMN",
    "status": "string",
    "principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
    "attributes": {
      "property1": "string",
      "property2": "string"
    },
    "expiry": "2019-08-24T14:15:22Z",
    "orgId": "abc123"
  }
}

ListAccessPolicies

MethodEndpoint
GET/v1/cwobject/access-policy
List all Object Storage access policies in the organization, which define who can access the storage and what actions they can perform.
Example request
curl -X GET https://api.coreweave.com/v1/cwobject/access-policy \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]"
A successful response returns a list of all access policies.
Response status code 200
{
  "policies": [
    {
      "version": "v1alpha1",
      "name": "string",
      "statements": [
        {
          "name": "string",
          "effect": "Allow",
          "actions": [
            "s3:CreateBucket"
          ],
          "resources": [
            "string"
          ],
          "principals": [
            "string"
          ]
        }
      ]
    }
  ]
}

EnsureAccessPolicy

MethodEndpoint
POST/v1/cwobject/access-policy
Apply or update access policies that define who can access the storage and what actions they can perform.
Just as with bucket access policies, CoreWeave supports all actions that take place inside access policies. However, within access policies, we also support the following set of cwobject:* actions:
  • cwobject:CreateAccessKey
  • cwobject:CreateAccessKeySAML
  • cwobject:ListAccessKeyInfo
  • cwobject:GetAccessKeyInfo
  • cwobject:UpdateAccessKeyStatus
  • cwobject:RevokeAccessKeyByAccessKey
  • cwobject:RevokeAccessKeysByPrincipal
  • cwobject:EnsureAccessPolicy
  • cwobject:ListAccessPolicy
  • cwobject:DeleteAccessPolicy
  • cwobject:ListBucketInfo
  • cwobject:GetBucketInfo
  • cwobject:EnableBucketAuditLogging
  • cwobject:DisableBucketAuditLogging
  • cwobject:EnableBucketAuditLoggingDefault
  • cwobject:DisableBucketAuditLoggingDefault
  • cwobject:EnableControlPlaneAuditLogging
  • cwobject:DisableControlPlaneAuditLogging
Please note: cwobject actions must use "*" as the resource value.
Supply the policy as a JSON object in the request body. To allow all actions on all resources for all principals, save the following JSON object as data.json.
data.json
{
  "policy": {
    "version": "v1alpha1",
    "name": "test-policy",
    "statements": [
      {
        "name": "allow-everything",
        "effect": "Allow",
        "actions": ["*"],
        "resources": ["*"],
        "principals": ["*"]
      }
    ]
  }
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
       -d @data.json
A successful response returns an empty object.
Response status code 200
{}

DeleteAccessPolicy

MethodEndpoint
DELETE/v1/cwobject/access-policy/[POLICY-NAME]
Delete an access policy. Provide the [POLICY-NAME] to delete as shown.
Example request
curl -X DELETE https://api.coreweave.com/v1/cwobject/access-policy/[POLICY-NAME] \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]"
A successful response returns an empty object.
Response status code 200
{}

SetBucketSettings

MethodEndpoint
PUT/v1/cwobject/bucket/settings
Configure bucket settings that aren’t exposed in the S3 API. Supply the bucket settings as a JSON object in the request body. To enable audit logging for a bucket, save the following JSON object as data.json.
data.json
{
  "bucketName": "string",
  "settings": {
    "auditLoggingEnabled": true
  }
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X PUT https://api.coreweave.com/v1/cwobject/bucket/settings \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
       -d @data.json
A successful response returns the updated bucket settings.
Response status code 200
{
  "settings": {
    "auditLoggingEnabled": true
  }
}

ListBucketInfo

MethodEndpoint
GET/v1/cwobject/bucket-info
List information about all buckets.
Example request
curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]"
A successful response returns a list of all buckets and their details.
Response status code 200
{
  "info": [
    {
      "orgId": "abc123",
      "name": "my-bucket",
      "creationTime": "2019-08-24T14:15:22Z",
      "settings": {
        "auditLoggingEnabled": true
      },
      "location": "string",
      "usage": [
        {
          "measurementType": "string",
          "value": "string",
          "valueHumanReadable": "string"
        }
      ]
    }
  ]
}

GetBucketInfo

MethodEndpoint
GET/v1/cwobject/bucket-info/[BUCKET-NAME]
Get information about a specific bucket. Provide the [BUCKET-NAME] to retrieve as shown.
Example request
curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info/[BUCKET-NAME] \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]"
A successful response returns the details for the requested bucket.
Response status code 200
{
  "info": {
    "orgId": "abc123",
    "name": "my-bucket",
    "creationTime": "2019-08-24T14:15:22Z",
    "settings": {
      "auditLoggingEnabled": true
    },
    "location": "string",
    "usage": [
      {
        "measurementType": "string",
        "value": "string",
        "valueHumanReadable": "string"
      }
    ]
  }
}

SetOrganizationSettings

MethodEndpoint
PUT/v1/cwobject/organization/settings
Configure settings related to your organization and CoreWeave AI Object Storage. Supply the organization settings as a JSON object in the request body. When bucketAuditLoggingEnabled is true, data plane audit logging applies to buckets created after the setting is enabled; buckets that already exist are unchanged until you enable audit logging with SetBucketSettings. To enable control plane logging and organization-level data plane logging for buckets created after the setting is enabled, save the following JSON object as data.json.
data.json
{
  "settings": {
    "controlPlaneAuditLoggingEnabled": true,
    "bucketAuditLoggingEnabled": true
  }
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X PUT https://api.coreweave.com/v1/cwobject/organization/settings \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
       -d @data.json
A successful response returns the updated organization settings.
Response status code 200
{
  "settings": {
    "controlPlaneAuditLoggingEnabled": true,
    "bucketAuditLoggingEnabled": true
  }
}

RevokeAccessKeyByAccessKey

MethodEndpoint
POST/v1/cwobject/revoke-access-key/access-key
Revoke a specific access key. To delete example-access-key create the following JSON object as data.json.
data.json
{
  "accessKey": "example-access-key"
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/access-key \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
       -d @data.json
A successful response returns an empty object.
Response status code 200
{}

RevokeAccessKeysByPrincipal

MethodEndpoint
POST/v1/cwobject/revoke-access-key/principal
Revoke all access keys for a principal. To delete all access keys for coreweave/ueqXfgRCYGqptEXAMPLE1, create the following JSON object as data.json.
data.json
{
  "principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1"
}
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/principal \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
       -d @data.json
A successful response returns an empty object.
Response status code 200
{}

CreateAccessKeyFromSAML

MethodEndpoint
POST/v1/cwobject/temporary-credentials/saml
Generate a time-limited access key for an Org ID. The maximum lifespan of the key is 43200 seconds (12 hours).
samlResponse must be Base64-encoded.
To generate temporary credentials with a 300-second lifespan and a SAML assertion from https://example.com/metadata/, create the following JSON object as data.json:
data.json
{
  "durationSeconds": 300,
  "attributes": {
    "name": "test-key"
  },
  "orgId": "abc123",
  "configId": "[WIF-CONFIG-ID]",
  "samlResponse": "[BASE64-ENCODED-SAML-RESPONSE]"
}
  • The lifespan of the key is set by durationSeconds.
  • The key name is set by attributes.name.
To regenerate this ephemeral key, you must resubmit the SAML assertion after durationSeconds has elapsed.
configId values are generated via the Cloud Console by creating a Workload Federation configuration. See Using Workload Identity Federation with SAML.
Submit the request, passing the JSON object in the body as data.json.
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml  \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer [API-ACCESS-TOKEN]" \
       -d @data.json
A successful response returns the generated credentials, for example:
Response status code 200
{
  "accessKeyID": "CWABCDEFGHIJKLMN",
  "expiry": "1970-01-15T01:01:01Z",
  "principalName": "saml/examplerole",
  "secretKey": "cwo1234567890abcdefghijklmnerkgnelrkwgnvwxyz1234"
}
Last modified on April 28, 2026