Content API Hides HTML for Members-only Posts

Hi, I’ve come across something interesting with the Content API, as I’m trying to get a headless site going that uses as much of the members features as possible…

When using the Content API, if a post’s “visibility” is not “public” (e.g. members-only posts) its HTML data is blank.

I assume this is because the Content API is meant to only serve public data? And members-only data can only be accessed through the Admin API?

If this is the case, would the best option be to use the Admin API instead to source my static site’s content? I’m using the latest Ghost version (4.1.2) with Gatsby as the front-end.

Just want to make sure there’s not a simpler way I’m missing or there’s some issue with using the Admin API for this.

Thanks!

You can use the Admin API as long as you’re not exposing the keys (has write permissions) but it’s generally not possible to build a secure static site with members-only content, because there is no server so there can’t be any serverside authentication.

Clientside auth is very easy to bypass by disabling JS - which is why most of the “drop in script” membership products are mostly useless.

Of course if you have an answer to that already then no problem - just making you aware there are some potholes :slight_smile:

1 Like

Thanks John, that’s great! Appreciate the advice on the potholes as well :grinning:

To begin with, I’m just dummy-proofing my front-end so that in case someone accidentally selects a visibility besides “public” their post’s content doesn’t disappear… sounds like that will be an easy fix by switching to the Admin API then.

I’m doing quite a bit of playing around with using Ghost for headless… I’m not sure if there’s anyway I can get around those potholes but I’ve got some interesting stuff coming along. If you guys are looking for examples and blog posts on headless, let me know - I’d be happy to write them up for sharing.

Nice! A large portion of Ghost.org itself is a headless front-end on top of Ghost.

If you’re just trying to cover off accidents, I would personally stick with the Content API, and just create a state for handling an empty content API response that outputs something static like “No content available - check that post access level is set to public”

Then you don’t need to be as careful with your API key :slight_smile:

1 Like