Skip to main content
GET
/
v1
/
cwobject
/
temporary-credentials
/
oidc
/
{orgId}
Create access key from container credentials
curl --request GET \
  --url https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc/{orgId} \
  --header 'Authorization: <api-key>'
{
  "AccessKeyId": "<string>",
  "SecretAccessKey": "<string>",
  "Token": "<string>",
  "Expiration": "2023-11-07T05:31:56Z",
  "attributes": {},
  "multiAttributes": {}
}

gRPC method: CreateAccessKeyFromContainerCreds

  • The API server is https://api.coreweave.com.
  • This endpoint uses the ContainerCredentialsAuth scheme: send a raw JWT/OIDC token as the Authorization header value, with no Bearer prefix. This shape matches the AWS container-credentials provider for in-cluster workloads.
Returns a short-lived CoreWeave AI Object Storage access key for an in-cluster workload, authenticated by the workload’s own OIDC token. The response uses the AWS-compatible PascalCase shape (AccessKeyId, SecretAccessKey, Token, Expiration) so existing AWS SDKs and tooling that consume the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable can adopt it without code changes. Substitute {orgId} with your organization ID.
Example request
curl -X GET https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc/{orgId} \
       -H "Content-Type: application/json" \
       -H "Authorization: [OIDC-TOKEN]"

Authorizations

Authorization
string
header
required

Raw JWT/OIDC token sent as the Authorization header value with no Bearer prefix. Only used by GET /v1/cwobject/temporary-credentials/oidc/{orgId} for the AWS-style container-credentials provider.

Path Parameters

orgId
string
required

Response

OK

AWS-compatible container-credentials response shape. The property names use PascalCase (AccessKeyId, SecretAccessKey, Token, Expiration) so existing AWS SDKs and tooling that consume AWS_CONTAINER_CREDENTIALS_FULL_URI can adopt this endpoint without code changes. This is intentional and differs from every other endpoint, which uses camelCase.

AccessKeyId
string

The access-key ID.

SecretAccessKey
string

The secret access key. Treat as a credential.

Token
string

An optional session token. May be empty for non-session credentials.

Expiration
string<date-time>

The expiration time of the credentials.

attributes
object

Free-form caller-supplied attributes attached to the key (for example, name).

multiAttributes
object

Free-form caller-supplied multi-valued attributes attached to the key. Each value is an AttributeList (an array of strings).

Last modified on June 25, 2026