> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage API access tokens and kubeconfig files

> Create and manage API Access Tokens and their associated kubeconfigs

API Access Tokens authenticate users and grant access to resources such as CKS clusters and VPCs. This page explains how to create, use, and manage API Access Tokens and the kubeconfig files generated alongside them, so you can authenticate `kubectl` to CKS clusters and keep credentials secure.

The following section walks through creating an API Access Token and downloading the associated kubeconfig file.

## Prerequisites

This guide assumes that you have an active CoreWeave account.

## Create a new API access token

API access tokens authenticate programmatic access to CoreWeave services. Create them in the CoreWeave Cloud Console.
To create a new access token, complete the following steps:

1. In Cloud Console, navigate to [Tokens](https://console.coreweave.com/tokens), and then click the **Create Token** button in the upper-right corner.

2. In the **Create API Token** dialog, complete the following fields to configure the token values, and then click **Create**:

   | **Field**      | **Description**                     |
   | -------------- | ----------------------------------- |
   | **Name**       | The name of the token.              |
   | **Expiration** | How long the token remains valid.   |
   | **Note**       | A description for future reference. |

3. Select one of the following options:

   | **Option**       | **Description**                                                                                                                                                                                                                                                                                         |
   | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **Token Secret** | Copy and store the token secret for use cases such as scraping metrics, scraping logs, self-hosted Grafana setup, or to add the token secret to an existing `kubeconfig`.                                                                                                                               |
   | **Kubeconfig**   | Create and download a `kubeconfig` for a specific cluster, so you can interact with the cluster using commands like `kubectl`. A `kubeconfig` can access multiple clusters when you [switch contexts](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/). |

   <Warning>
     Sensitive values such as token secrets and `kubeconfig` files are displayed in the Cloud Console modal **only once**, and they are never shown again after you close the modal. You must record them in a secure location.
   </Warning>

   After you complete these steps, your new API access token is ready to use with CoreWeave services.

## Use the kubeconfig file

After you have a kubeconfig file from the previous section, this section explains how to put it in place so `kubectl` can authenticate to your CKS cluster.

To use the kubeconfig file, you must have the `kubectl` command-line tool installed. If you don't have `kubectl` installed, follow the instructions in the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/).

To use the kubeconfig file, choose one of the following options:

* Copy it to the default location for kubeconfig files, typically `~/.kube/config`.
* Specify the file location with the `KUBECONFIG` environment variable.
* Use the `--kubeconfig` flag with `kubectl`.

See the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) for more information.

When the kubeconfig is in place, you can use `kubectl` to interact with the CKS clusters. The following command displays the merged kubeconfig that `kubectl` will use, which helps you verify the configuration:

```bash theme={"system"}
kubectl config view
```

The output should resemble the following:

```yaml theme={"system"}
apiVersion: v1
kind: Config
clusters:
  - cluster:
      server: https://[CLUSTER-ID].k8s.[ZONE].coreweave.com
    name: my-cluster
contexts:
  - context:
      cluster: my-cluster
      namespace: default
      user: cwtoken-[TOKEN-ID]
    name: my-cluster-token
users:
  - name: cwtoken-[TOKEN-ID]-test-token
    user:
      token: "[TOKEN-SECRET]"
```

## Best practices for kubeconfig security

Because the kubeconfig grants direct access to your CKS clusters, follow these practices to reduce the risk of credential exposure.

The kubeconfig contains [API Access Tokens](/security/authn-authz/managed-auth/api-access). Treat these tokens with the same care as passwords or private SSH keys.

* Make sure only the file owner can read and write the kubeconfig file. For example, on Linux or macOS, use `chmod 600` to set the appropriate permissions.
* Avoid storing the kubeconfig in version control systems.
* Use separate kubeconfigs for different users and applications, instead of sharing a single kubeconfig among multiple users or apps.
* Rotate kubeconfig files regularly, and revoke access for users or applications that no longer need it to reduce the risk of credential leakage.

<Info>
  Learn more about kubeconfig files in [the official Kubernetes documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
</Info>

## Manage Access Tokens

After you create tokens, use the Cloud Console to review or revoke them as your access needs change.

You can view or delete Access Tokens on [the Access Tokens dashboard](https://console.coreweave.com/tokens). The secret values are never shown again after creation, so record them in a secure location.

<img src="https://mintcdn.com/coreweave-dbfa0e8d/2BnXXLfUdb578krj/security/authn-authz/_media/access-tokens-create.png?fit=max&auto=format&n=2BnXXLfUdb578krj&q=85&s=86f0d081ae8a1de15552bca03617a31f" alt="Access Tokens dashboard listing active Access Tokens." width="2822" height="502" data-path="security/authn-authz/_media/access-tokens-create.png" />

<Tip>
  You may have a different level of access to CKS clusters. Organization administrators designate permissions. For more information on how administrators set permissions for users and groups, see [IAM Access Policies](/security/iam/access-policies) and [Legacy User Permissions](/security/iam/access-policies/legacy-permissions).
</Tip>
