Appearance
Access
Private Packages uses token-based authentication to secure access to your private Composer repository. This ensures that only authorized projects can download your premium plugins and themes.
Authentication Overview
To use Private Packages with Composer, you need:
- A Composer token - Generated from your Private Packages account
- Composer configuration - Set up in your project to use the token
Why Token-Based Authentication?
Token-based authentication provides several benefits:
- Security: Tokens can be revoked without changing your account password
- Granularity: Each project can have its own token
- Auditability: Track which tokens are used where
- Simplicity: Easy to configure in Composer
Access Control
Workspace Isolation
Tokens are scoped to specific workspaces:
- Each workspace has its own set of tokens
- Tokens only provide access to packages within their workspace
- Freelancers can manage separate tokens for different agencies
Token Management
You can:
- Create multiple tokens per workspace
- Give descriptive names to tokens (e.g., "Production Site", "Staging Environment")
- Revoke tokens at any time
- View when tokens were created and last used
Using Tokens with Composer
Step 1: Add Repository
Add Private Packages as a repository in your composer.json:
json
{
"repositories": [
{
"type": "composer",
"url": "https://{{workspace-slug}}.private-packages.com"
}
]
}Note: Replace {{workspace-slug}} with your workspace slug.
Step 2: Configure Authentication
Use your token for HTTP basic authentication:
bash
composer config http-basic.private-packages.com your-token-here tokenThis command creates or updates your auth.json file with the credentials.
Step 3: Require Packages
Install packages as you would any other Composer dependency:
bash
composer require vendor/package-nameSecurity Best Practices
Per-Project Tokens
Create a separate token for each project:
- Easier Management: Know which project uses which token
- Better Security: If a token is compromised, only one project is affected
- Simpler Revocation: Decommission projects without affecting others
Protect Your auth.json
The auth.json file contains sensitive credentials:
bash
# Add to .gitignore
echo "auth.json" >> .gitignoreDANGER
Never commit auth.json to version control. This file contains sensitive authentication credentials.
Environment Variables
For CI/CD pipelines, consider using environment variables:
bash
composer config http-basic.private-packages.com \
"${PRIVATE_PACKAGES_TOKEN}" tokenToken Rotation
Regularly rotate tokens for enhanced security:
- Create a new token
- Update your projects
- Revoke the old token
- Monitor for any issues
Team Access
Multiple Users
If multiple team members need access:
- Each user should have their own Private Packages account
- Share workspace access between team members
- Each developer creates their own tokens
CI/CD Systems
For automated deployments:
- Create a dedicated token for your CI/CD system
- Name it appropriately (e.g., "GitHub Actions", "GitLab CI")
- Store it securely in your CI/CD secrets/variables
- Rotate it periodically
Troubleshooting
Authentication Failed
If Composer can't authenticate:
- Verify the token: Copy it again from Private Packages
- Check the domain: Ensure you're using
private-packages.com - Inspect auth.json: Make sure the format is correct
- Token status: Check if the token has been revoked
Wrong Workspace
If you can't access certain packages:
- Verify you're using a token from the correct workspace
- Check that the packages exist in that workspace
- Ensure your account has access to the workspace
Token Not Working
If a newly created token doesn't work:
- Wait a few moments for the system to propagate changes
- Clear Composer cache:
composer clear-cache - Try the token in a fresh project to isolate issues
Next Steps
- Learn more about Tokens and detailed token management
- Review Getting Started for complete setup instructions
- Explore Packages to see what's available