Skip to main content
POST
/
v1
/
cwobject
/
temporary-credentials
/
oidc
Create access key from OIDC
curl --request POST \
  --url https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc \
  --header 'Content-Type: application/json' \
  --data '
{
  "durationSeconds": 21600,
  "orgId": "<string>",
  "oidcToken": "<string>",
  "attributes": {}
}
'
{
  "accessKeyId": "<string>",
  "secretKey": "<string>",
  "principalName": "<string>",
  "expiry": "2023-11-07T05:31:56Z",
  "attributes": {}
}

gRPC method: CreateAccessKeyFromOIDC

  • The API server is https://api.coreweave.com.
  • This endpoint is anonymous on the CoreWeave side — authentication comes from the OIDC token in the request body, not a Bearer token in the header.
Exchanges an OIDC token from a configured Workload Identity Federation provider for a temporary CoreWeave AI Object Storage access key. The lifespan is set by durationSeconds and must be 0–43200 seconds (12 hours maximum).
data.json
{
  "durationSeconds": 300,
  "orgId": "abc123",
  "oidcToken": "[OIDC-TOKEN]",
  "attributes": {
    "name": "test-key"
  }
}
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc \
       -H "Content-Type: application/json" \
       -d @data.json

Body

application/json

Inputs for exchanging an OIDC token for a CoreWeave AI Object Storage access key.

durationSeconds
integer<uint32>
required

Lifespan of the resulting access key in seconds. Must be 0–43200 (12 hours maximum).

Required range: 0 <= x <= 43200
orgId
string
required

The CoreWeave organization ID to mint the access key for.

oidcToken
string
required

The OIDC token from the configured Workload Identity Federation provider.

attributes
object

Free-form caller-supplied attributes attached to the key (for example, name).

Response

OK

The newly-minted access key. The secretKey is the only opportunity to read the secret value.

accessKeyId
string

The access-key ID.

secretKey
string

The secret access key. Treat as a credential and store it securely on receipt.

principalName
string

The fully-qualified principal name that owns the access key.

expiry
string<date-time>

The expiration time of the access key.

attributes
object

The attributes that were attached to the key on creation.

Last modified on June 25, 2026