> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# AI Object Storage API
> Manage organization-wide access policies, bucket settings, and access keys
With an access token, you can interact with the CoreWeave AI Object Storage API using `curl` or any other HTTP client. The AI Object Storage API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.
CoreWeave AI Object Storage is an [S3-compatible](/products/storage/object-storage/reference/object-storage-s3) object storage solution with two APIs.
* Use the **S3-compatible API** for operations like uploading objects.
* Use the **AI Object Storage API** for tasks outside the S3-compatible API command set, like creating access keys from SAML assertions.
* The API server is `https://api.coreweave.com`.
* Replace `[API-ACCESS-TOKEN]` in the following examples with your [CoreWeave API access token](/security/authn-authz/manage-api-access-tokens).
## Operations
| Action | Method | Endpoint | Description |
| ----------------------------------------------------------- | -------- | ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| [AuthCanI](#authcani) | `POST` | `/v1/cwobject/auth/can-i` | Check whether the current user is allowed to perform a set of actions on a set of resources. |
| [CreateAccessKeyFromJWT](#createaccesskeyfromjwt) | `POST` | `/v1/cwobject/access-key` | Create an access key through an API access token. |
| [ListAccessKeyInfo](#listaccesskeyinfo) | `GET` | `/v1/cwobject/access-key` | List information about all access keys. |
| [GetAccessKeyInfo](#getaccesskeyinfo) | `GET` | `/v1/cwobject/access-key/[ACCESS-KEY-ID]` | Get information about a specific access key. |
| [ListAccessPolicies](#listaccesspolicies) | `GET` | `/v1/cwobject/access-policy` | List all Object Storage access policies in the organization. |
| [EnsureAccessPolicy](#ensureaccesspolicy) | `POST` | `/v1/cwobject/access-policy` | Apply or update access policies. |
| [DeleteAccessPolicy](#deleteaccesspolicy) | `DELETE` | `/v1/cwobject/access-policy/[POLICY-NAME]` | Delete an access policy. |
| [SetBucketSettings](#setbucketsettings) | `PUT` | `/v1/cwobject/bucket/settings` | Configure bucket settings that aren't exposed in the [S3-compatible API](/products/storage/object-storage/reference/object-storage-s3). |
| [ListBucketInfo](#listbucketinfo) | `GET` | `/v1/cwobject/bucket-info` | List information about all buckets. |
| [GetBucketInfo](#getbucketinfo) | `GET` | `/v1/cwobject/bucket-info/[BUCKET-NAME]` | Get information about a specific bucket. |
| [SetOrganizationSettings](#setorganizationsettings) | `PUT` | `/v1/cwobject/organization/settings` | Configure settings related to your organization and CoreWeave AI Object Storage. |
| [RevokeAccessKeyByAccessKey](#revokeaccesskeybyaccesskey) | `POST` | `/v1/cwobject/revoke-access-key/access-key` | Revoke a specific access key. |
| [RevokeAccessKeysByPrincipal](#revokeaccesskeysbyprincipal) | `POST` | `/v1/cwobject/revoke-access-key/principal` | Revoke all access keys for a principal. |
| [CreateAccessKeyFromSAML](#createaccesskeyfromsaml) | `POST` | `/v1/cwobject/temporary-credentials/saml` | Generate temporary access keys for CoreWeave AI Object Storage access through a SAML assertion. |
For per-endpoint request and response schemas, see the **CWObject** pages in the left sidebar under **AI Object Storage API**. Each HTTP endpoint maps to a gRPC method on the `CWObject` service:
| gRPC method | Documentation |
| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ListAccessKeyInfo` | [List access keys](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/list-access-keys) |
| `CreateAccessKeyFromJWT` | [Create access key](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/create-access-key) |
| `UpdateAccessKeyStatus` | [Update access key status](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/update-access-key-status) |
| `GetAccessKeyInfo` | [Get access key](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/get-access-key) |
| `ListAccessPolicies` | [List access policies](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/list-access-policies) |
| `EnsureAccessPolicy` | [Apply or update access policy](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/apply-or-update-access-policy) |
| `DeleteAccessPolicy` | [Delete access policy](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/delete-access-policy) |
| `AuthCanI` | [Check authorization](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/check-authorization) |
| `ListBucketInfo` | [List bucket info](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/list-bucket-info) |
| `GetBucketInfo` | [Get bucket info](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/get-bucket-info) |
| `SetBucketSettings` | [Set bucket settings](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/set-bucket-settings) |
| `SetOrganizationSettings` | [Set organization settings](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/set-organization-settings) |
| `RevokeAccessKeyByAccessKey` | [Revoke an access key](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/revoke-an-access-key) |
| `RevokeAccessKeysByPrincipal` | [Revoke a principal's access keys](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/revoke-a-principals-access-keys) |
| `CreateAccessKeyFromOIDC` | [Create access key from OIDC](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/create-access-key-from-oidc) |
| `CreateAccessKeyFromContainerCreds` | [Create access key from container credentials](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/create-access-key-from-container-credentials) |
| `CreateAccessKeyFromSAML` | [Create access key from SAML](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/create-access-key-from-saml) |
## Authentication
Most requests authenticate with a [CoreWeave API access token](/security/authn-authz/manage-api-access-tokens) sent as a bearer token in the `Authorization` header (the `TokenAuth` scheme). For required permissions on each operation, see [IAM Access Policies](/security/iam/access-policies).
Three endpoints are special and call out their own authentication requirements on the per-operation page:
* `POST /v1/cwobject/temporary-credentials/saml` and `POST /v1/cwobject/temporary-credentials/oidc` are **anonymous** on the CoreWeave side. They exchange an external IdP assertion for a CoreWeave access key, so no CoreWeave bearer token is required.
* `GET /v1/cwobject/temporary-credentials/oidc/{orgId}` uses the **`ContainerCredentialsAuth`** scheme: send a raw JWT/OIDC token as the `Authorization` header value with **no** `Bearer` prefix. This shape matches the AWS container-credentials provider for in-cluster workloads.
## gRPC schema and SDKs (Buf)
The AI Object Storage API is also exposed as a gRPC service defined in Protobuf. Use the same API host, `https://api.coreweave.com`, with token-based authentication.
* **Service**: `CWObject` (package `coreweave.cwobject.v1`)
* **Public BSR module**: `buf.build/coreweave/cwobject`
* **TypeScript SDK namespace**: `@buf/coreweave_cwobject.bufbuild_es`
The gRPC methods align with the HTTP endpoints listed in [Operations](#operations).
## Access-key status values
The `status` field on access keys uses the proto-3 enum `AccessKeyStatus`. The wire format is the symbolic name:
| Value | Meaning |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ACCESS_KEY_STATUS_ACTIVE` | The key can be used to authenticate. |
| `ACCESS_KEY_STATUS_SUSPENDED` | The key exists but cannot authenticate; reactivate it to restore access. |
| `ACCESS_KEY_STATUS_UNSPECIFIED` | Proto zero value (`field not set`). Do not send it -- the server treats it as missing and rejects the request. The `ListAccessKeyInfo` filter treats it as "no filter applied". |
## Access policies
Access policies use a small grammar that maps cleanly to the AWS IAM shape. Policies are documented in [IAM Access Policies](/security/iam/access-policies); the canonical list of actions (`cwobject:*`, `s3:*`) lives in the [the CoreWeave AI Object Storage actions reference](/products/storage/object-storage/auth-access/organization-policies/manage#allowed-ai-object-storage-api-actions).
Two fields on the policy schema are open strings on the wire today (upstream emits them as `type: string` with no `enum:` list):
| Field | Valid values |
| -------------------------------- | --------------- |
| `CWObjectPolicyStatement.effect` | `Allow`, `Deny` |
| `CWObjectPolicy.version` | `v1alpha1` |
The auto-generated reference documents these values in the field description prose; the overlay does not add a tooling-enforced `enum` constraint, because upstream would have to renegotiate that constraint every time it adds a new effect or policy version. See the storage overlay report for the upstream recommendation.
## Pagination
The `limit` parameter on `ListAccessKeyInfo` and `ListBucketInfo` accepts values from `1` to `1000` (declared in the proto, reasserted in the overlay because `protoc-gen-openapi` strips the bound). Use `offset` for zero-based pagination.