403 Error on Ghost Admin API – Seeking Clarity on Permissions & Auth Flow

Hi, I’ve hit a wall with the Admin API. Specifically, I’m trying to access the member_signin_urls endpoint, but I consistently receive a 403 Forbidden response—even when using an Admin API key generated from the Integrations panel.

Here’s what I’ve tried:

• Using the Admin API key with correct headers (Authorization: GhostAdminAPIKey ...)

• Confirmed the endpoint and payload match the official docs

• Tested across multiple Ghost versions (including 5.117.0 and 5.118.0)

• Ensured the site is not behind a proxy that strips cookies

Still, no luck. My questions:

1. Is member_signin_urls restricted to Owner-level session auth only? If so, is there a documented way to authenticate as Owner via API (not browser)?

2. Are there known limitations or bugs in recent Ghost versions (e.g., 5.118.0) that affect Admin API access?

3. Is there a recommended workaround for generating member signin URLs via automation, without relying on session cookies?

Feedback deeply appreciated. If this endpoint is intentionally restricted, I’d love to understand the reasoning—and whether there is an alternative.

Thanks in advance for any guidance you can offer.

Warmly,
Atmo

You’re not using the Admin API key correctly. You don’t just pass it in unchanged, you use it to generate a token. Here’s the docs you need: Overview - Ghost Developer Docs (you probably need to start reading a couple screens higher and read a couple screens paste it, but that’s the sample code, in multiple languages).

And to your questions:

1 - No. I use it routinely with an admin API key from the custom integrations page. It should also work with an admin/owner-level staff token, but I can’t 100% confirm that.

2- Pre ~5.98 (when I patched it), it was only possible to do cookie authentication to that endpoint. It now takes a token correctly.

3- Don’t do cookies. Make a token.