Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

API Access Tokens authenticate users and grant access to resources such as CKS Clusters and VPCs.

Prerequisites

This guide assumes that you have an active CoreWeave account.

Create a new API Access Token

API Access Tokens must be created in the CoreWeave Cloud Console. To create a new Access Token, complete the following steps:
  1. In Cloud Console, navigate to Tokens, and then click the Create Token button in upper-right corner.
  2. In the Create API Token dialog, configure the token values by filling in the following fields, and then click Create:
    FieldDescription
    NameThe name of the token.
    ExpirationThe length of time for which the Token is valid.
    NoteA description for future reference.
  3. Select one of the following options:
    OptionDescription
    Token SecretCopy and store the token secret for use cases like scraping logs, metrics, and setting up your own self-hosted Grafana, or to add the token secret to an existing kubeconfig.
    KubeconfigCreate and download a kubeconfig for a specific cluster to interact with the cluster using commands like kubectl. Note that a Kubeconfig can access multiple Clusters by switching contexts.
    These sensitive values are never shown again after closing the modal. Be sure to record them in a secure location.

Use the kubeconfig file

To use the kubeconfig file, you must have the kubectl command-line tool installed. If you don’t have kubectl installed, follow the instructions in the Kubernetes documentation. To use the Kubeconfig file, either:
  • copy it to the default location for Kubeconfig files, typically ~/.kube/config;
  • specify the file location with the KUBECONFIG environment variable; or,
  • use the --kubeconfig flag with kubectl.
See the Kubernetes documentation for more information. When the Kubeconfig is in place, you can use kubectl to interact with the CKS clusters. To test the configuration, run: 
kubectl config view
The output should resemble the following: 
apiVersion: v1
kind: Config
clusters:
  - cluster:
      server: https://<id>.k8s.<zone>.coreweave.com
    name: my-cluster
contexts:
  - context:
      cluster: my-cluster
      namespace: default
      user: cwtoken-<TOKEN-ID>
    name: my-cluster-token
users:
  - name: cwtoken-<TOKEN-ID>-test-token
    user:
      token: <TOKEN-SECRET>

Best practices for Kubeconfig security

The Kubeconfig contains API Access Tokens, which should be treated with the same care as passwords or private SSH keys.
  • Make sure only the file owner can read and write the Kubeconfig file. For example, on Linux or macOS, use chmod 600 to set the appropriate permissions.
  • Avoid storing the Kubeconfig in version control systems.
  • Use separate Kubeconfigs for different users and applications, instead of sharing a single Kubeconfig among multiple users or apps.
  • Regularly rotate Kubeconfig files, and revoke access for users or applications that no longer need it to reduce the risk of credential leakage.
Learn more about Kubeconfig files in the official Kubernetes documentation.

Manage Access Tokens

You can view or delete Access Tokens on the Access Tokens dashboard. The secret values are never shown again after creation, so be sure to record them in a secure location. A screenshot of the Access Tokens dashboard listing active Access Tokens.
You may have a different level of access to CKS clusters. Organization administrators designate permissions. For more information on how permissions are set for users and groups, see IAM Access Policies and Legacy User Permissions.
Last modified on April 20, 2026