Blog RSS Feed Subscribe

Jordi Boggiano

Jordi Boggiano Passionate web developer, specialized in web performance and php. Partner at Nelmio, information junkie and speaker.


Authentication management in Composer

Up until today if you run a home-grown package repository serving private packages it was quite a pain to use with Composer. You did not have efficient way to password-protect the repository except by inlining the password in the composer.json or by typing the username/password every single time.

With the merge of PR#1862 and some further improvements you can now remove credentials from your composer.json! The first time Composer needs to authenticate against some domain it will prompt you for a username/password and then you will be asked whether you want to store it. The storage can be done either globally in the COMPOSER_HOME/auth.json file (COMPOSER_HOME defaults to ~/.composer or %APPDATA%/Composer on Windows) or also in the project directory directly sitting besides your composer.json.

You can also configure these by hand using the config command if you need to configure a production machine to be able to run non-interactive installs. For example to enter credentials for one could type:

composer config username password

That will store it in the current directory's auth.json, but if you want it available globally you can use the --global (-g) flag.

The advantage of having it in a separate file is that you can easily add this auth.json to .gitignore and let every developer in your company have their own credentials in there.

And I did not forget the security-minded folks that do not want to store anything on disk and do not want to be prompted every time! You can use composer config -g store-auths false

Altogether these small improvements should make some use cases much easier so that is great news.

May 27, 2014 // News, PHP

Post a comment:

Formatting: you may use [code php] [/code] (or other languages) for code blocks, links are automatically linked. <strong>, <em> and <blockquote> html tags are allowed without nesting, the rest will be escaped.

Subscribe to this RSS Feed Comments

2014-05-28 15:56:28


very nice addition, thank you very much!

2014-05-29 21:20:24


Nice feature. Thanks a lot Jordi :-)

2014-05-30 08:56:30

Maximilian Berghoff


that's a nice feature.

Would have one questions:

Home-grown package repository just works with
"repositories":[{"type":"vcs","url":"file:// or https:// or .."},
or are there other way, except from buying a private license on packagist?

I am on my way to introduce that at our company, so buying an account in that case would be to early. I just fetch all repos by "file://" from a our network storage. Are there other better examples?
Read some stuff about setting up the git repos on a server by https:// or just an user called git.

2014-06-01 07:17:29


@Maximilian Berghoff:
I guess you are searching for

2014-10-04 17:31:36

Dennis Birkholz

The auth.json file looks like this, just in case you have no console at hand :-)

    "http-basic": {
        "": {
            "username": "username",
            "password": "password"

(please delete my previous post, messed with the code part ...)

2014-10-27 14:09:44


For the "security-minded folks" - that does not store anything and does not prompt, so what...?

2014-10-27 20:18:00


@Matthias: it prompts for the password every time and keeps it in memory for the rest of the run, but it does not prompt you to save it to disk.