Ghost · Rate Limits

Ghost Org Rate Limits

Ghost does not publish fixed numeric per-endpoint rate limits for the Content API or Admin API. Because Ghost is open source and runs per-site (self-hosted or on Ghost(Pro)), request throughput on a self-hosted install is bounded by your own server capacity rather than by a vendor-imposed quota. Ghost does apply brute-force protection on authentication-related endpoints, and Ghost(Pro) enforces platform-level abuse protection and fair-use limits. Practical constraints are more often the audience/member and staff limits of the Ghost(Pro) plan and email-sending volume than an API request-rate cap.

Ghost Org Rate Limits is the machine-readable rate-limit profile for Ghost on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 5 rate-limit definitions, measuring requests, records, attempts, and members.

The profile also includes 3 backoff/retry policies defined and response codes documented for throttled.

Tagged areas include Publishing, Content, Open Source, Rate Limiting, and Quotas.

5 Limits Throttle: 429
PublishingContentOpen SourceRate LimitingQuotas

Limits

Content API Requests site
requests
not published
No fixed numeric request-rate limit is documented; self-hosted throughput is bounded by your own server.
Admin API Requests site
requests
not published
No fixed numeric request-rate limit is documented for the Admin API.
Default Page Size request
records
15
Browse endpoints return 15 records by default; adjust with the limit parameter (or limit=all).
Authentication Brute-Force Protection site
attempts
enforced
Ghost rate-limits repeated failed sign-in / authentication attempts to mitigate brute-force attacks.
Ghost(Pro) Member Allowance account
members
per plan
Ghost(Pro) plans cap audience size (for example 1,000 or 10,000 members) rather than API calls.

Policies

Optimistic Concurrency
Admin API edits require the current updated_at value; stale writes are rejected to prevent overwriting newer changes.
HTTPS Required
All API requests must be made over HTTPS.
Backoff Strategy
Clients should implement exponential backoff with jitter and honor Retry-After on any 429 responses.

Sources