Skip to main content
POST
/
v1
/
cwobject
/
temporary-credentials
/
saml
Create access key from SAML
curl --request POST \
  --url https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \
  --header 'Content-Type: application/json' \
  --data '
{
  "durationSeconds": 21600,
  "orgId": "<string>",
  "samlResponse": "<string>",
  "attributes": {},
  "configId": "<string>"
}
'
{
  "accessKeyId": "<string>",
  "secretKey": "<string>",
  "principalName": "<string>",
  "expiry": "2023-11-07T05:31:56Z",
  "attributes": {}
}

gRPC method: CreateAccessKeyFromSAML

  • The API server is https://api.coreweave.com.
  • This endpoint is anonymous on the CoreWeave side — authentication comes from the SAML assertion in the request body, not a Bearer token in the header.
Exchanges a SAML assertion from a configured Workload Identity Federation provider for a temporary CoreWeave AI Object Storage access key for the named Org ID. The lifespan is set by durationSeconds and must be 0–43200 seconds (12 hours maximum). The samlResponse must be base64-encoded. To regenerate the key after durationSeconds has elapsed, resubmit a fresh SAML assertion.
data.json
{
  "durationSeconds": 300,
  "orgId": "abc123",
  "configId": "[WIF-CONFIG-ID]",
  "samlResponse": "[BASE64-ENCODED-SAML-RESPONSE]",
  "attributes": {
    "name": "test-key"
  }
}
Example request
curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \
       -H "Content-Type: application/json" \
       -d @data.json

Body

application/json

Inputs for exchanging a SAML assertion for a CoreWeave AI Object Storage access key.

durationSeconds
integer<uint32>
required

Lifespan of the resulting access key in seconds. Must be 0–43200 (12 hours maximum).

Required range: 0 <= x <= 43200
orgId
string
required

The CoreWeave organization ID to mint the access key for.

samlResponse
string
required

The SAML assertion, base64-encoded.

attributes
object

Free-form caller-supplied attributes attached to the key (for example, name).

configId
string

The Workload Identity Federation configuration ID that corresponds to the SAML provider. Configurations are created from the Cloud Console; see Using Workload Identity Federation with SAML.

Response

OK

The newly-minted access key. The secretKey is the only opportunity to read the secret value.

accessKeyId
string

The access-key ID.

secretKey
string

The secret access key. Treat as a credential and store it securely on receipt.

principalName
string

The fully-qualified principal name that owns the access key (for example, saml/examplerole).

expiry
string<date-time>

The expiration time of the access key.

attributes
object

The attributes that were attached to the key on creation.

Last modified on June 25, 2026