Skip to main content
With an access token, you can interact with the CoreWeave AI Object Storage API using curl or any other HTTP client. The AI Object Storage API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.
CoreWeave AI Object Storage is an S3-compatible object storage solution with two APIs.
  • Use the S3-compatible API for operations like uploading objects.
  • Use the AI Object Storage API for tasks outside the S3-compatible API command set, like creating access keys from SAML assertions.
  • The API server is https://api.coreweave.com.
  • Replace [API-ACCESS-TOKEN] in the following examples with your CoreWeave API access token.

Operations

ActionMethodEndpointDescription
AuthCanIPOST/v1/cwobject/auth/can-iCheck whether the current user is allowed to perform a set of actions on a set of resources.
CreateAccessKeyFromJWTPOST/v1/cwobject/access-keyCreate an access key through an API access token.
ListAccessKeyInfoGET/v1/cwobject/access-keyList information about all access keys.
GetAccessKeyInfoGET/v1/cwobject/access-key/[ACCESS-KEY-ID]Get information about a specific access key.
ListAccessPoliciesGET/v1/cwobject/access-policyList all Object Storage access policies in the organization.
EnsureAccessPolicyPOST/v1/cwobject/access-policyApply or update access policies.
DeleteAccessPolicyDELETE/v1/cwobject/access-policy/[POLICY-NAME]Delete an access policy.
SetBucketSettingsPUT/v1/cwobject/bucket/settingsConfigure bucket settings that aren’t exposed in the S3-compatible API.
ListBucketInfoGET/v1/cwobject/bucket-infoList information about all buckets.
GetBucketInfoGET/v1/cwobject/bucket-info/[BUCKET-NAME]Get information about a specific bucket.
SetOrganizationSettingsPUT/v1/cwobject/organization/settingsConfigure settings related to your organization and CoreWeave AI Object Storage.
RevokeAccessKeyByAccessKeyPOST/v1/cwobject/revoke-access-key/access-keyRevoke a specific access key.
RevokeAccessKeysByPrincipalPOST/v1/cwobject/revoke-access-key/principalRevoke all access keys for a principal.
CreateAccessKeyFromSAMLPOST/v1/cwobject/temporary-credentials/samlGenerate temporary access keys for CoreWeave AI Object Storage access through a SAML assertion.
For per-endpoint request and response schemas, see the CWObject pages in the left sidebar under AI Object Storage API. Each HTTP endpoint maps to a gRPC method on the CWObject service:
gRPC methodDocumentation
ListAccessKeyInfoList access keys
CreateAccessKeyFromJWTCreate access key
UpdateAccessKeyStatusUpdate access key status
GetAccessKeyInfoGet access key
ListAccessPoliciesList access policies
EnsureAccessPolicyApply or update access policy
DeleteAccessPolicyDelete access policy
AuthCanICheck authorization
ListBucketInfoList bucket info
GetBucketInfoGet bucket info
SetBucketSettingsSet bucket settings
SetOrganizationSettingsSet organization settings
RevokeAccessKeyByAccessKeyRevoke an access key
RevokeAccessKeysByPrincipalRevoke a principal’s access keys
CreateAccessKeyFromOIDCCreate access key from OIDC
CreateAccessKeyFromContainerCredsCreate access key from container credentials
CreateAccessKeyFromSAMLCreate access key from SAML

Authentication

Most requests authenticate with a CoreWeave API access token sent as a bearer token in the Authorization header (the TokenAuth scheme). For required permissions on each operation, see IAM Access Policies. Three endpoints are special and call out their own authentication requirements on the per-operation page:
  • POST /v1/cwobject/temporary-credentials/saml and POST /v1/cwobject/temporary-credentials/oidc are anonymous on the CoreWeave side. They exchange an external IdP assertion for a CoreWeave access key, so no CoreWeave bearer token is required.
  • GET /v1/cwobject/temporary-credentials/oidc/{orgId} uses the ContainerCredentialsAuth scheme: send a raw JWT/OIDC token as the Authorization header value with no Bearer prefix. This shape matches the AWS container-credentials provider for in-cluster workloads.

gRPC schema and SDKs (Buf)

The AI Object Storage API is also exposed as a gRPC service defined in Protobuf. Use the same API host, https://api.coreweave.com, with token-based authentication.
  • Service: CWObject (package coreweave.cwobject.v1)
  • Public BSR module: buf.build/coreweave/cwobject
  • TypeScript SDK namespace: @buf/coreweave_cwobject.bufbuild_es
The gRPC methods align with the HTTP endpoints listed in Operations.

Access-key status values

The status field on access keys uses the proto-3 enum AccessKeyStatus. The wire format is the symbolic name:
ValueMeaning
ACCESS_KEY_STATUS_ACTIVEThe key can be used to authenticate.
ACCESS_KEY_STATUS_SUSPENDEDThe key exists but cannot authenticate; reactivate it to restore access.
ACCESS_KEY_STATUS_UNSPECIFIEDProto zero value (field not set). Do not send it — the server treats it as missing and rejects the request. The ListAccessKeyInfo filter treats it as “no filter applied”.

Access policies

Access policies use a small grammar that maps cleanly to the AWS IAM shape. Policies are documented in IAM Access Policies; the canonical list of actions (cwobject:*, s3:*) lives in the the CoreWeave AI Object Storage actions reference. Two fields on the policy schema are open strings on the wire today (upstream emits them as type: string with no enum: list):
FieldValid values
CWObjectPolicyStatement.effectAllow, Deny
CWObjectPolicy.versionv1alpha1
The auto-generated reference documents these values in the field description prose; the overlay does not add a tooling-enforced enum constraint, because upstream would have to renegotiate that constraint every time it adds a new effect or policy version. See the storage overlay report for the upstream recommendation.

Pagination

The limit parameter on ListAccessKeyInfo and ListBucketInfo accepts values from 1 to 1000 (declared in the proto, reasserted in the overlay because protoc-gen-openapi strips the bound). Use offset for zero-based pagination.
Last modified on June 29, 2026