Ghost CMS API
Ghost is an open-source headless CMS and publishing platform with two distinct APIs: the read-only Content API (public posts, pages, tags, authors) and the Admin API (full CRUD for all content and site management), purpose-built for modern publishing workflows.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
TLS strongly recommended and enforced on Ghost(Pro); self-hosted instances may vary. Admin API uses short-lived JWTs (5-minute expiry) which is a good security pattern for agents. Content API key is effectively public (read-only, embeddable in client). No scope restriction within Admin API — a key has full admin access. Open-source codebase enables security auditing. Ghost(Pro) has reasonable security posture.
⚡ Reliability
Best When
You're building a content-first publishing product (blog, newsletter, media site) and want a clean, modern REST API with no legacy baggage and good headless CMS ergonomics.
Avoid When
You need complex structured content with deeply nested schemas, or you're building something beyond publishing (e-commerce, internal tools, etc.).
Use Cases
- • Fetching posts and pages for headless frontend rendering (Next.js, Astro, etc.)
- • Automated content publishing pipelines — agents creating and scheduling posts
- • Newsletter management — creating and sending email newsletters via API
- • Syncing Ghost content to other systems (SEO tools, analytics, archives)
- • Member and subscription management for paid content products
Not For
- • Complex content modeling with deeply nested relationships (use Contentful or Sanity)
- • Multi-site management from a single API (Ghost is per-site)
- • E-commerce or transactional content beyond digital subscriptions
- • Teams who need a GUI-heavy page builder experience
Interface
Authentication
Content API uses a simple Content API key passed as a query parameter (?key=) — read-only, safe to expose in client-side code. Admin API uses JWT authentication: a key in the format id:secret is split, the secret is base64-decoded, and a short-lived JWT is generated and passed as a Bearer token. The JWT approach for Admin API is unusual and requires careful implementation.
Pricing
Self-hosted is fully free with no restrictions. Ghost(Pro) is the managed hosting service. The API is identical between self-hosted and Ghost(Pro). Ghost Foundation is a non-profit — pricing is transparent and reasonable.
Agent Metadata
Known Gotchas
- ⚠ Admin API JWT generation requires splitting the key at ':' and base64-decoding the secret portion — many implementations get this wrong
- ⚠ Admin API JWTs expire after 5 minutes — agents making long-running requests or batches must regenerate tokens
- ⚠ Content API key appears in URLs/logs — do not use it for sensitive or private content (use Admin API with JWT for that)
- ⚠ Ghost uses Mobiledoc or Lexical as its internal content format — sending plain HTML requires the html source format, not the default
- ⚠ Pagination uses page and limit query params with meta.pagination in the response — not cursor-based, so concurrent modification can cause drift
- ⚠ Webhook delivery is best-effort with no guaranteed retry on failure — agents must handle missed events
- ⚠ Self-hosted Ghost API URL depends on deployment — no standard base URL to hardcode
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Ghost CMS API.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-07.