> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# AI Object Storage API
> Manage organization-wide access policies, bucket settings, and access keys
This reference describes the endpoints available in the CoreWeave AI Object Storage API. Use it to look up the method, path, request body, and example response for each operation. With an access token, you can interact with the API using `curl` or any other HTTP client. The AI Object Storage API lets you set organization-wide access policies, configure bucket settings, and manage access keys.
CoreWeave AI Object Storage is an [S3-compatible](/products/storage/object-storage/reference/object-storage-s3) object storage solution with two APIs.
* Use the **S3-compatible API** for operations like uploading objects.
* Use the **AI Object Storage API** for tasks outside the S3-compatible API command set, like creating access keys from SAML assertions.
## Summary
This table lists the available endpoints for the CoreWeave AI Object Storage API. Click an action for detailed information.
* The API server is `https://api.coreweave.com`.
* Replace `[API-ACCESS-TOKEN]` in the following examples with your [CoreWeave API access token](/security/authn-authz/manage-api-access-tokens).
| Action | Method | Endpoint | Description |
| ----------------------------------------------------------- | ---------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| [AuthCanI](#authcani) | **POST** | `/v1/cwobject/auth/can-i` | Check whether the current user is allowed to perform a set of actions on a set of resources. |
| [CreateAccessKeyFromJWT](#createaccesskeyfromjwt) | **POST** | `/v1/cwobject/access-key` | Create an access key through a Cloud token. |
| [ListAccessKeyInfo](#listaccesskeyinfo) | **GET** | `/v1/cwobject/access-key` | List information about all access keys. |
| [GetAccessKeyInfo](#getaccesskeyinfo) | **GET** | `/v1/cwobject/access-key/[ACCESS-KEY-ID]` | Get information about a specific access key. |
| [ListAccessPolicies](#listaccesspolicies) | **GET** | `/v1/cwobject/access-policy` | List all Object Storage access policies in the organization. |
| [EnsureAccessPolicy](#ensureaccesspolicy) | **POST** | `/v1/cwobject/access-policy` | Apply or update access policies. |
| [DeleteAccessPolicy](#deleteaccesspolicy) | **DELETE** | `/v1/cwobject/access-policy/[POLICY-NAME]` | Delete an access policy. |
| [SetBucketSettings](#setbucketsettings) | **PUT** | `/v1/cwobject/bucket/settings` | Configure bucket settings that aren't exposed in the S3 API. |
| [ListBucketInfo](#listbucketinfo) | **GET** | `/v1/cwobject/bucket-info` | List information about all buckets. |
| [GetBucketInfo](#getbucketinfo) | **GET** | `/v1/cwobject/bucket-info/[BUCKET-NAME]` | Get information about a specific bucket. |
| [SetOrganizationSettings](#setorganizationsettings) | **PUT** | `/v1/cwobject/organization/settings` | Configure settings related to your organization and CoreWeave AI Object Storage. |
| [RevokeAccessKeyByAccessKey](#revokeaccesskeybyaccesskey) | **POST** | `/v1/cwobject/revoke-access-key/access-key` | Revoke a specific access key. |
| [RevokeAccessKeysByPrincipal](#revokeaccesskeysbyprincipal) | **POST** | `/v1/cwobject/revoke-access-key/principal` | Revoke all access keys for a principal. |
| [CreateAccessKeyFromSAML](#createaccesskeyfromsaml) | **POST** | `/v1/cwobject/temporary-credentials/saml` | Generate temporary access keys for CoreWeave AI Object Storage access through a SAML assertion. |
## AuthCanI
| Method | Endpoint |
| -------- | ------------------------- |
| **POST** | `/v1/cwobject/auth/can-i` |
Check whether the current user is allowed to perform a set of actions on a set of resources. Both `actions` and `resources` are required. The endpoint returns a single `verdict` that is `true` only if the user is allowed to perform **all** listed actions on **all** listed resources.
Supply the actions and resources as a JSON object in the request body. To check whether you can list buckets and list access keys on all resources, save the following JSON object as `data.json`.
```json title="data.json" theme={"system"}
{
"actions": ["cwobject:ListBucketInfo", "cwobject:ListAccessKeyInfo"],
"resources": ["*"]
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X POST https://api.coreweave.com/v1/cwobject/auth/can-i \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns a single boolean verdict.
```json title="Response status code 200" theme={"system"}
{
"verdict": true
}
```
## CreateAccessKeyFromJWT
| Method | Endpoint |
| -------- | ------------------------- |
| **POST** | `/v1/cwobject/access-key` |
[Generate an access key](/products/storage/object-storage/auth-access/manage-access-keys/about) through a Cloud token. Access keys are time-limited or permanent, depending on the value of `durationSeconds` passed in the JSON object.
The `durationSeconds` field is required.
To create a permanent access key, set `durationSeconds` to `0`, and give the key a name.
```json title="data.json" theme={"system"}
{
"durationSeconds": 0,
"attributes": {
"name": "permanent-key"
}
}
```
To create a temporary access key, specify the duration in seconds, and give the key a name.
```json title="data.json" theme={"system"}
{
"durationSeconds": 300,
"attributes": {
"name": "temporary-key"
}
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X POST https://api.coreweave.com/v1/cwobject/access-key \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns the generated access key.
```json title="Response status code 200" theme={"system"}
{
"accessKeyID": "CWABCDEFGHIJKLMN",
"expiry": "1970-01-15T01:01:01Z",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"secretKey": "cwo1234567890abcdefghijklmnopqrstuvwxyz1234"
}
```
## ListAccessKeyInfo
| Method | Endpoint |
| ------- | ------------------------- |
| **GET** | `/v1/cwobject/access-key` |
List information about all access keys.
```bash title="Example request" theme={"system"}
curl -X GET https://api.coreweave.com/v1/cwobject/access-key \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]"
```
A successful response returns a list of all access keys and their details.
```json title="Response status code 200" theme={"system"}
{
"info": [
{
"accessKeyId": "CWABCDEFGHIJKLMN",
"status": "string",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"attributes": {
"property1": "string",
"property2": "string"
},
"expiry": "2019-08-24T14:15:22Z",
"orgId": "abc123"
}
]
}
```
## GetAccessKeyInfo
| Method | Endpoint |
| ------- | ----------------------------------------- |
| **GET** | `/v1/cwobject/access-key/[ACCESS-KEY-ID]` |
Get information about a specific access key. Provide the `[ACCESS-KEY-ID]` to retrieve as shown.
```bash title="Example request" highlight={1} theme={"system"}
curl -X GET https://api.coreweave.com/v1/cwobject/access-key/[ACCESS-KEY-ID] \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]"
```
A successful response returns the details for the requested access key.
```json title="Response status code 200" theme={"system"}
{
"info": {
"accessKeyId": "CWABCDEFGHIJKLMN",
"status": "string",
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1",
"attributes": {
"property1": "string",
"property2": "string"
},
"expiry": "2019-08-24T14:15:22Z",
"orgId": "abc123"
}
}
```
## ListAccessPolicies
| Method | Endpoint |
| ------- | ---------------------------- |
| **GET** | `/v1/cwobject/access-policy` |
List all Object Storage access policies in the organization, which define who can access the storage and what actions they can perform.
```bash title="Example request" theme={"system"}
curl -X GET https://api.coreweave.com/v1/cwobject/access-policy \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]"
```
A successful response returns a list of all access policies.
```json title="Response status code 200" theme={"system"}
{
"policies": [
{
"version": "v1alpha1",
"name": "string",
"statements": [
{
"name": "string",
"effect": "Allow",
"actions": [
"s3:CreateBucket"
],
"resources": [
"string"
],
"principals": [
"string"
]
}
]
}
]
}
```
## EnsureAccessPolicy
| Method | Endpoint |
| -------- | ---------------------------- |
| **POST** | `/v1/cwobject/access-policy` |
Apply or update access policies that define who can access the storage and what actions they can perform.
As with bucket access policies, CoreWeave supports all actions that take place **inside** access policies. However, within access policies, CoreWeave also supports the following set of `cwobject:*` actions:
* `cwobject:CreateAccessKey`
* `cwobject:CreateAccessKeySAML`
* `cwobject:ListAccessKeyInfo`
* `cwobject:GetAccessKeyInfo`
* `cwobject:UpdateAccessKeyStatus`
* `cwobject:RevokeAccessKeyByAccessKey`
* `cwobject:RevokeAccessKeysByPrincipal`
* `cwobject:EnsureAccessPolicy`
* `cwobject:ListAccessPolicy`
* `cwobject:DeleteAccessPolicy`
* `cwobject:ListBucketInfo`
* `cwobject:GetBucketInfo`
* `cwobject:EnableBucketAuditLogging`
* `cwobject:DisableBucketAuditLogging`
* `cwobject:EnableBucketAuditLoggingDefault`
* `cwobject:DisableBucketAuditLoggingDefault`
* `cwobject:EnableControlPlaneAuditLogging`
* `cwobject:DisableControlPlaneAuditLogging`
**Please note:** `cwobject` actions must use `"*"` as the resource value.
Supply the policy as a JSON object in the request body. To allow all actions on all resources for all principals, save the following JSON object as `data.json`.
```json title="data.json" theme={"system"}
{
"policy": {
"version": "v1alpha1",
"name": "test-policy",
"statements": [
{
"name": "allow-everything",
"effect": "Allow",
"actions": ["*"],
"resources": ["*"],
"principals": ["*"]
}
]
}
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns an empty object.
```json title="Response status code 200" theme={"system"}
{}
```
## DeleteAccessPolicy
| Method | Endpoint |
| ---------- | ------------------------------------------ |
| **DELETE** | `/v1/cwobject/access-policy/[POLICY-NAME]` |
Delete an access policy. Provide the `[POLICY-NAME]` to delete as shown.
```bash title="Example request" highlight={1} theme={"system"}
curl -X DELETE https://api.coreweave.com/v1/cwobject/access-policy/[POLICY-NAME] \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]"
```
A successful response returns an empty object.
```json title="Response status code 200" theme={"system"}
{}
```
## SetBucketSettings
| Method | Endpoint |
| ------- | ------------------------------ |
| **PUT** | `/v1/cwobject/bucket/settings` |
Configure bucket settings that aren't exposed in the S3 API. Supply the bucket settings as a JSON object in the request body. To enable audit logging for a bucket, save the following JSON object as `data.json`.
```json title="data.json" theme={"system"}
{
"bucketName": "string",
"settings": {
"auditLoggingEnabled": true
}
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X PUT https://api.coreweave.com/v1/cwobject/bucket/settings \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns the updated bucket settings.
```json title="Response status code 200" theme={"system"}
{
"settings": {
"auditLoggingEnabled": true
}
}
```
## ListBucketInfo
| Method | Endpoint |
| ------- | -------------------------- |
| **GET** | `/v1/cwobject/bucket-info` |
List information about all buckets.
```bash title="Example request" theme={"system"}
curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]"
```
A successful response returns a list of all buckets and their details.
```json title="Response status code 200" theme={"system"}
{
"info": [
{
"orgId": "abc123",
"name": "my-bucket",
"creationTime": "2019-08-24T14:15:22Z",
"settings": {
"auditLoggingEnabled": true
},
"location": "string",
"usage": [
{
"measurementType": "string",
"value": "string",
"valueHumanReadable": "string"
}
]
}
]
}
```
## GetBucketInfo
| Method | Endpoint |
| ------- | ---------------------------------------- |
| **GET** | `/v1/cwobject/bucket-info/[BUCKET-NAME]` |
Get information about a specific bucket. Provide the `[BUCKET-NAME]` to retrieve as shown.
```bash title="Example request" highlight={1} theme={"system"}
curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info/[BUCKET-NAME] \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]"
```
A successful response returns the details for the requested bucket.
```json title="Response status code 200" theme={"system"}
{
"info": {
"orgId": "abc123",
"name": "my-bucket",
"creationTime": "2019-08-24T14:15:22Z",
"settings": {
"auditLoggingEnabled": true
},
"location": "string",
"usage": [
{
"measurementType": "string",
"value": "string",
"valueHumanReadable": "string"
}
]
}
}
```
## SetOrganizationSettings
| Method | Endpoint |
| ------- | ------------------------------------ |
| **PUT** | `/v1/cwobject/organization/settings` |
Configure settings related to your organization and CoreWeave AI Object Storage. Supply the organization settings as a JSON object in the request body. When `bucketAuditLoggingEnabled` is `true`, data plane audit logging applies to buckets created after the setting is enabled. Buckets that already exist are unchanged until you enable audit logging with [SetBucketSettings](#setbucketsettings). To enable control plane logging and organization-level data plane logging for buckets created after the setting is enabled, save the following JSON object as `data.json`.
```json title="data.json" theme={"system"}
{
"settings": {
"controlPlaneAuditLoggingEnabled": true,
"bucketAuditLoggingEnabled": true
}
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X PUT https://api.coreweave.com/v1/cwobject/organization/settings \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns the updated organization settings.
```json title="Response status code 200" theme={"system"}
{
"settings": {
"controlPlaneAuditLoggingEnabled": true,
"bucketAuditLoggingEnabled": true
}
}
```
## RevokeAccessKeyByAccessKey
| Method | Endpoint |
| -------- | ------------------------------------------- |
| **POST** | `/v1/cwobject/revoke-access-key/access-key` |
Revoke a specific access key. To delete `example-access-key`, create the following JSON object as `data.json`.
```json title="data.json" theme={"system"}
{
"accessKey": "example-access-key"
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/access-key \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns an empty object.
```json title="Response status code 200" theme={"system"}
{}
```
## RevokeAccessKeysByPrincipal
| Method | Endpoint |
| -------- | ------------------------------------------ |
| **POST** | `/v1/cwobject/revoke-access-key/principal` |
Revoke all access keys for a principal. To delete all access keys for `coreweave/ueqXfgRCYGqptEXAMPLE1`, create the following JSON object as `data.json`.
```json title="data.json" theme={"system"}
{
"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1"
}
```
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/principal \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns an empty object.
```json title="Response status code 200" theme={"system"}
{}
```
## CreateAccessKeyFromSAML
| Method | Endpoint |
| -------- | ----------------------------------------- |
| **POST** | `/v1/cwobject/temporary-credentials/saml` |
Generate a time-limited access key for an [Org ID](/security/authn-authz/orgs-users#organization-ids). The maximum lifespan of the key is 43,200 seconds (12 hours).
`samlResponse` must be Base64-encoded.
To generate temporary credentials with a 300-second lifespan and a SAML assertion from `https://example.com/metadata/`, create the following JSON object as `data.json`:
```json title="data.json" theme={"system"}
{
"durationSeconds": 300,
"attributes": {
"name": "test-key"
},
"orgId": "abc123",
"configId": "[WIF-CONFIG-ID]",
"samlResponse": "[BASE64-ENCODED-SAML-RESPONSE]"
}
```
The following fields control the generated key:
* The lifespan of the key is set by `durationSeconds`.
* The key name is set by `attributes.name`.
To regenerate this ephemeral key, you must resubmit the SAML assertion after `durationSeconds` has elapsed.
`configId` values are generated through the Cloud Console by creating a Workload Federation configuration. See [Use Workload Identity Federation with SAML](/products/storage/object-storage/auth-access/workload-identity-federation/saml-workload-federation).
Submit the request, passing the JSON object in the body as `data.json`.
```bash title="Example request" theme={"system"}
curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \
-H "Content-Type: application/json" \
-H "Authorization: Bearer [API-ACCESS-TOKEN]" \
-d @data.json
```
A successful response returns the generated credentials, for example:
```json title="Response status code 200" theme={"system"}
{
"accessKeyID": "CWABCDEFGHIJKLMN",
"expiry": "1970-01-15T01:01:01Z",
"principalName": "saml/examplerole",
"secretKey": "cwo1234567890abcdefghijklmnerkgnelrkwgnvwxyz1234"
}
```