Stats
Actions
Tags
From ghost
Authenticate against the Ghost Admin API using Integration Tokens (JWT), Staff Access Tokens, or User Sessions. Use before any Admin API skill.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ghost:ghost-admin-api-authThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The Ghost Admin API has three authentication methods. Choose based on your use case:
The Ghost Admin API has three authentication methods. Choose based on your use case:
| Method | Use When |
|---|---|
| Integration Token (JWT) | Server-side automations, CI/CD, scripts — no user context needed |
| Staff Access Token | Respecting a specific user's role/permissions |
| User Session (cookie) | Browser-based admin clients, interactive tools requiring 2FA support |
Base URL: https://{admin_domain}/ghost/api/admin/
Always include the API version header on every request:
Accept-Version: v5.0
In Ghost Admin: Settings → Advanced → Integrations → Add custom integration.
Copy the Admin API Key. It has the form:
{id}:{secret}
Example: 64f2f3e5a1b2c3d4e5f6a7b8:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
The JWT must be:
aud): /admin/iat): current Unix timestampexp): max 5 minutes from nowkid): the {id} portion of the Admin API KeyNode.js example:
import jwt from 'jsonwebtoken';
function ghostAdminToken(adminApiKey) {
const [id, secret] = adminApiKey.split(':');
return jwt.sign({}, Buffer.from(secret, 'hex'), {
keyid: id,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/admin/',
});
}
Python example:
import jwt, time, binascii
def ghost_admin_token(admin_api_key: str) -> str:
id_, secret = admin_api_key.split(':')
iat = int(time.time())
payload = {'iat': iat, 'exp': iat + 300, 'aud': '/admin/'}
return jwt.encode(payload, bytes.fromhex(secret), algorithm='HS256',
headers={'kid': id_})
TOKEN=$(node -e "
const jwt = require('jsonwebtoken');
const key = process.env.GHOST_ADMIN_API_KEY;
const [id, secret] = key.split(':');
console.log(jwt.sign({}, Buffer.from(secret,'hex'), {
keyid: id, algorithm: 'HS256', expiresIn: '5m', audience: '/admin/'
}));
")
curl -H "Authorization: Ghost $TOKEN" \
-H "Accept-Version: v5.0" \
https://example.com/ghost/api/admin/posts/
Key rules:
In Ghost Admin: User profile → bottom of page → Staff access token → Copy.
This token is tied to that staff user's role and respects their permissions.
curl -H "Authorization: Ghost $STAFF_ACCESS_TOKEN" \
-H "Accept-Version: v5.0" \
https://example.com/ghost/api/admin/posts/
When to use: When you want operations scoped to a specific user's role (e.g., an Author token cannot publish, a Contributor token cannot create tags).
curl -c cookies.txt -X POST \
-H "Content-Type: application/json" \
-H "Accept-Version: v5.0" \
-d '{"username":"[email protected]","password":"yourpassword"}' \
https://example.com/ghost/api/admin/session/
curl -b cookies.txt \
-H "Accept-Version: v5.0" \
-H "X-CSRF-Token: $(grep ghost-csrf cookies.txt | awk '{print $NF}')" \
https://example.com/ghost/api/admin/posts/
Notes:
| Role | Capabilities |
|---|---|
| Contributor | Write posts only; cannot publish |
| Author | Create and publish posts and tags |
| Editor | Manage authors/contributors; edit their content |
| Administrator | Full access to all settings and data |
| Owner | Administrator + billing; permanent, cannot be removed |
Store credentials as:
GHOST_ADMIN_URL=https://example.com
GHOST_ADMIN_API_KEY=64f2f3e5a1b2c3d4e5f6a7b8:a1b2c3d4...
All other Ghost Admin API skills expect these variables to be set.
GHOST_ADMIN_API_KEY env varGHOST_ADMIN_URL env varAccept-Version: v5.0 header included on all requestsAuthorization: Ghost {token} header format confirmed (not Bearer)npx claudepluginhub thinkmorestupidless/claude-marketplace --plugin ghostGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.