Authentication management in Composer

Up until today if you run a home-grown package repository serving private packages it was quite a pain to use with Composer. You did not have efficient way to password-protect the repository except by inlining the password in the composer.json or by typing the username/password every single time.

With the merge of PR#1862 and some further improvements you can now remove credentials from your composer.json! The first time Composer needs to authenticate against some domain it will prompt you for a username/password and then you will be asked whether you want to store it. The storage can be done either globally in the COMPOSER_HOME/auth.json file (COMPOSER_HOME defaults to ~/.composer or %APPDATA%/Composer on Windows) or also in the project directory directly sitting besides your composer.json.

You can also configure these by hand using the config command if you need to configure a production machine to be able to run non-interactive installs. For example to enter credentials for one could type:

composer config username password

That will store it in the current directory's auth.json, but if you want it available globally you can use the --global (-g) flag.

The advantage of having it in a separate file is that you can easily add this auth.json to .gitignore and let every developer in your company have their own credentials in there.

And I did not forget the security-minded folks that do not want to store anything on disk and do not want to be prompted every time! You can use composer config -g store-auths false

Altogether these small improvements should make some use cases much easier so that is great news.

May 27, 2014 // News, PHP

Post a comment

Subscribe to this RSS Feed Comments

2014-05-28 13:56:28


very nice addition, thank you very much!

2014-05-29 19:20:24


Nice feature. Thanks a lot Jordi :-)

2014-05-30 06:56:30

Maximilian Berghoff


that's a nice feature.

Would have one questions:

Home-grown package repository just works with
"repositories":[{"type":"vcs","url":"file:// or https:// or .."},
or are there other way, except from buying a private license on packagist?

I am on my way to introduce that at our company, so buying an account in that case would be to early. I just fetch all repos by "file://" from a our network storage. Are there other better examples?
Read some stuff about setting up the git repos on a server by https:// or just an user called git.

2014-06-01 05:17:29


@Maximilian Berghoff:
I guess you are searching for

2014-10-04 15:31:36

Dennis Birkholz

The auth.json file looks like this, just in case you have no console at hand :-)

    "http-basic": {
        "": {
            "username": "username",
            "password": "password"

(please delete my previous post, messed with the code part ...)

2014-10-27 13:09:44


For the "security-minded folks" - that does not store anything and does not prompt, so what...?

2014-10-27 19:18:00


@Matthias: it prompts for the password every time and keeps it in memory for the rest of the run, but it does not prompt you to save it to disk.

2014-12-15 15:59:37


Excellent.... THANK YOU very useful :) it would be perfect if there is a way to point a ssh key file.

2015-10-20 16:34:58


Does these settings works for bitbucket?