Get JWT for signed-in Member

Hello Ghost community!

I am trying to follow the advice of @disaza and @fabien as laid out here and here.

I am trying to get a JWT for a signed-in member by making a GET request to /members/ssr but I merely get a 404.

Is it still possible to get a JWT for a logged-in Member?

Thanks for your help,
Frei

1 Like

I discovered the solution to the problem that I was having.

I realize now that I should have named this thread:
“Validating Member Authentication Cookie”.

What I discovered is that Member Authentication is managed via the ghost-members-ssr cookie, that this cookie is signed by the Ghost express server and is scoped to the specific domain hosting the ghost server.

This credential *can be used to authenticate custom software, which one is writing in order to integrate the Ghost CMS into a larger system.

However, the Ghost source code needs to be slightly adjusted --the MembersSSR.js file needs to be manually included and customized, so that the domain of the members-ssr-cookie is set --this makes the cookie valid for all subdomains as well.

Besides that the custom software must have access to the theme_session_secret from the settings table of the Ghost MySQL database. This key needs to be set on custom server to validate signed cookies against.

. . .
Now I’m trying to figure out how to use the admin_session_secret to validate Admin cookie/token.