Authenticating API for users

I want to build a custom, external api to display some stats that are tied to the users’ accounts. I can keep track of the users through webhooks, but how do I allow them to access their own data securely?

To sum it up: How can I use ghost’s internal authentication with an external application?

You can get a JWT for a logged in user by hitting /members/api/session/
(this is current as of v5, the endpoint on the link below is out of date).

Pass that to app, and have app validate it.
the Public Key is at /members/.well-known/jwks.json

1 Like

I am having trouble with this part, I found ./versions/5.34.0/core/server/web/well-known.js which has the jwks.json route wellKnownApp.get('/jwks.json', cache, async (req, res) => , but I can’t seem to get it to respond with anything other than a 404. Is there some change I need to make? I did notice anything on the /members/.well-known/ path returns an nginx 404 instead of one from ghost. https://github.com/TryGhost/Ghost/search?q=jwks.json This was somewhat useful, it seems I might have some sort of installation issue as the routes listed don’t function on my server. I tested on a public installation of ghost and it worked fine so it must be an issue with my nginx I think.

Update: solved the issue with nginx. Had to comment some lines out that the cli installer made in the two files in sites-avaliable and its working fine now.

    #location ~ /.well-known {
    #    allow all;
    #}
1 Like

Just a tip for anyone trying to follow along, https://token.dev/ is a great resource. Helped me understand how these things work

2 Likes