Hi all,
Would any of you would find it useful to connect to the Ghost Admin API without API keys?
Rather than using such long-lived secrets that ought to be protected on the client and server, you could use Kliento token bundles, which are short-lived credentials that contain the chain of trust anchored in DNSSEC. They’re like JWTs that can be verified 100% locally without configuring or retrieving public keys (unlike JWTs).
Kliento is a tiny extension to VeraId, which has been independently security audited and has an Internet-Draft. The protocols have open source reference implementations.
If there’s enough interest, I’d be happy to build a prototype so you can see it in action in Ghost. It’d look like this roughly:
- You’d still create a custom integration, but instead of copy/pasting an admin API key, you’d enter the identifier of the client. This will be a string like
your-app@your-domain.com,your-app@staging.your-domain.com,your-domain.com, etc. - The client has two options to obtain token bundles:
- By exchanging its platform’s credentials. That is, if your client runs on GitHub, Kubernetes, GCP, Vercel, or many others, you could obtain the credentials directly via an app we provide, which can be run on-prem or in the cloud.
- By generating the credentials directly, if you’re happy to manage a private key.
- Once the client has a token bundle, it’d just have to include it in the
Authorizationrequest header. Such bundles are valid for a maximum of 60 minutes (configurable) and can be reused whilst they’re valid.
I think this is more convenient and safer than API keys, especially with the tooling we have or could easily add, and I’d be happy to contribute the functionality on the Ghost Admin API server and its SDK after the prototype, if the Ghost community and the Ghost Foundation are interested.
With that in mind, would this be something you’d be interested in? Any questions or concerns?
Thanks!
Gus.