> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage API access tokens and kubeconfig files

> Create and manage API Access Tokens and their associated Kubeconfigs

API Access Tokens authenticate users and grant access to resources such as CKS Clusters and VPCs.

## Prerequisites

This guide assumes that you have an active CoreWeave account.

## Create a new API access token

API access tokens authenticate programmatic access to CoreWeave services. Create them in the CoreWeave Cloud Console.
To create a new access token, complete the following steps:

1. In Cloud Console, navigate to [Tokens](https://console.coreweave.com/tokens), and then click the **Create Token** button in the upper-right corner.

2. In the **Create API Token** dialog, complete the following fields to configure the token values, and then click **Create**:

   | **Field**      | **Description**                     |
   | -------------- | ----------------------------------- |
   | **Name**       | The name of the token.              |
   | **Expiration** | How long the token remains valid.   |
   | **Note**       | A description for future reference. |

3. Select one of the following options:

   | **Option**       | **Description**                                                                                                                                                                                                                                                                                         |
   | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **Token Secret** | Copy and store the token secret for use cases such as scraping metrics, scraping logs, self-hosted Grafana setup, or to add the token secret to an existing `kubeconfig`.                                                                                                                               |
   | **Kubeconfig**   | Create and download a `kubeconfig` for a specific cluster, so you can interact with the cluster using commands like `kubectl`. A `kubeconfig` can access multiple clusters when you [switch contexts](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/). |

   <Warning>
     Sensitive values such as token secrets and `kubeconfig` files are displayed in the Cloud Console modal **only once**, and they are never shown again after you close the modal. You must record them in a secure location.
   </Warning>

   After you complete these steps, your new API access token is ready to use with CoreWeave services.

## Use the kubeconfig file

To use the kubeconfig file, you must have the `kubectl` command-line tool installed. If you don't have `kubectl` installed, follow the instructions in the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/).

To use the Kubeconfig file, either:

* copy it to the default location for Kubeconfig files, typically `~/.kube/config`;
* specify the file location with the `KUBECONFIG` environment variable; or,
* use the `--kubeconfig` flag with `kubectl`.

See the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) for more information.

When the Kubeconfig is in place, you can use `kubectl` to interact with the CKS clusters. To test the configuration, run:

```bash theme={"system"}
kubectl config view
```

The output should resemble the following:

```yaml theme={"system"}
apiVersion: v1
kind: Config
clusters:
  - cluster:
      server: https://<id>.k8s.<zone>.coreweave.com
    name: my-cluster
contexts:
  - context:
      cluster: my-cluster
      namespace: default
      user: cwtoken-<TOKEN-ID>
    name: my-cluster-token
users:
  - name: cwtoken-<TOKEN-ID>-test-token
    user:
      token: <TOKEN-SECRET>
```

## Best practices for Kubeconfig security

The Kubeconfig contains [API Access Tokens](/security/authn-authz/managed-auth/api-access), which should be treated with the same care as passwords or private SSH keys.

* Make sure only the file owner can read and write the Kubeconfig file. For example, on Linux or macOS, use `chmod 600` to set the appropriate permissions.
* Avoid storing the Kubeconfig in version control systems.
* Use separate Kubeconfigs for different users and applications, instead of sharing a single Kubeconfig among multiple users or apps.
* Regularly rotate Kubeconfig files, and revoke access for users or applications that no longer need it to reduce the risk of credential leakage.

<Info>
  Learn more about Kubeconfig files in [the official Kubernetes documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
</Info>

## Manage Access Tokens

You can view or delete Access Tokens on [the Access Tokens dashboard](https://console.coreweave.com/tokens). The secret values are never shown again after creation, so be sure to record them in a secure location.

<img src="https://mintcdn.com/coreweave-dbfa0e8d/2BnXXLfUdb578krj/security/authn-authz/_media/access-tokens-create.png?fit=max&auto=format&n=2BnXXLfUdb578krj&q=85&s=86f0d081ae8a1de15552bca03617a31f" alt="A screenshot of the Access Tokens dashboard listing active Access Tokens." width="2822" height="502" data-path="security/authn-authz/_media/access-tokens-create.png" />

<Tip>
  You may have a different level of access to CKS clusters. Organization administrators designate permissions. For more information on how permissions are set for users and groups, see [IAM Access Policies](/security/iam/access-policies) and [Legacy User Permissions](/security/iam/access-policies/legacy-permissions).
</Tip>