Code comment says "We don't support admin api keys yet" - is this true?



  • What’s your URL?
  • What version of Ghost are you using? Ghost-CLI version: 1.9.9 / Ghost version: 2.18.1
  • What configuration? self-hosted (?)
  • What browser? Brave - Version 0.61.51 Chromium: 73.0.3683.75 (Official Build) (64-bit)
  • What errors or information do you see in the console? error below
  • What steps could someone else take to reproduce the issue you’re having? my steps are below

I’m trying to experiment with the Admin API, and I think I’m authenticating correctly with an Admin API Key id/secret, but I’m unable to actually authenticate.

missingAdminUserOrIntegration: “Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.”

Looking at the code, I see this comment on the code:

We don’t support admin api keys yet, but we can already use this authorization helper, because we have not connected authenticating with admin api keys yet. req.api_key will be always null.

Is the comment outdated, or (the way I interpret it) can we only authenticate with the Admin API via username/password right now, and not an Admin API Key?

If the comment’s outdated, then I guess I’m just doing something wrong. :confused:

This probably won’t mean a ton to anyone, but here’s how I’m trying to authenticate in C#, using the Jwt.Net library.

var adminKeyParts = adminApiKey.Split(':');

var unixEpochInSeconds = new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds();

var token = new JwtBuilder().WithAlgorithm(new HMACSHA256Algorithm())
                            .AddHeader(HeaderName.KeyId, adminKeyParts[0])
                            .AddClaim("exp", unixEpochInSeconds + 300)
                            .AddClaim("iat", unixEpochInSeconds)
                            .AddClaim("aud", "/v2/admin/")

var request = new RestRequest($"posts/{id}", Method.GET);
request.AddHeader("Authorization", $"Ghost {token}");
var response = Client.Execute<PostResponse>(request);
return response.Data;


public static byte[] StringToByteArray(string hex)
    int NumberChars = hex.Length;
    byte[] bytes = new byte[NumberChars / 2];
    for (int i = 0; i < NumberChars; i += 2)
        bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
    return bytes;


Please share the details of your install, in particular Ghost-version, when asking for help - rather than deleting the whole template which we created asking for those details.

Not much anyone here can suggest unless you share context



Absolutely, sorry about that. My question was more about whether the comment was accurate or outdated, but I’ve added the details.

1 Like


The comment is definitely outdated, thanks for pointing it out!

As for the error, it’s suggesting that the kid header value doesn’t match any known integration key. I would try capturing the generated token and pasting it into the debugger at to verify it matches what you expect, if it does then maybe check the URL that you’re connecting to.

1 Like


Wow, that site’s awesome.

Everything seemed okay, based on when I created the token earlier.

  "kid": "expected id",
  "typ": "JWT",
  "alg": "HS256"

  "exp": 1553004583,    // 300 seconds after current time
  "iat": 1553004283,    // current time
  "aud": "/v2/admin/"

The URL seems okay too…{valid_post_id}

I’ll keep playing around with it… it’ll probably be obvious once I figure it out. :slight_smile:



Don’t forget that URLs must end with a / - if the trailing slash isn’t there then Ghost will respond with a 301, perhaps your networking library isn’t forwarding the same headers if it’s following the redirect?

1 Like


Wow, that was it. Thanks Kevin.

I didn’t expect that because I use the same URL format without the trailing slash for the Content API (except /ghost/api/v2/content/ instead of /ghost/api/v2/admin/) and it always returns the correct results. I’ll make sure I add the trailing slash with both APIs from now on. :+1:


closed #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.