How It Works

Private Packages acts as a private Composer repository for your premium WordPress plugins and themes. It handles the authentication, updates, and distribution of packages that aren't available on public repositories.

Architecture Overview

1. Package Recipes

At the core of Private Packages are recipes - specialized integrations for different plugin vendors and update systems. Each recipe knows how to:

• Authenticate with the vendor's API
• Validate license keys
• Check for new versions
• Download plugin/theme files

2. Standardized Update Systems

Many premium plugins use standardized update systems like Easy Digital Downloads (EDD). Private Packages has reverse-engineered these common systems, which means:

• Plugins using EDD should work automatically with minimal configuration
• The same applies to other standardized systems like WooCommerce updaters
• You only need to provide your license key and basic settings

3. Custom Vendor Integrations

For vendors with proprietary update systems, Private Packages includes custom recipes that handle their specific requirements. Examples include:

• Advanced Custom Fields (ACF)
• Gravity Forms
• Elementor Pro
• WPML
• ...

Update Cycle

Private Packages follows a predictable update cycle:

1. Every 6 Hours: Checks all packages for new releases
2. Daily: Validates all license keys to ensure they're still active
3. On Demand: You can manually trigger update checks from the package edit page

License Management

Automatic Validation

The app automatically checks license validity daily and updates the package status accordingly. If a license becomes invalid:

• The package will be marked as invalid
• You can resolve the issue from the package edit page

License Activation

For supported recipes, you can:

• Check license status manually
• Activate licenses directly with the plugin vendor
• View activation details and error messages

Composer Integration

Private Packages serves as a Composer repository that requires authentication:

Authentication Tokens

• Generated per-project for security
• Used for Composer basic authentication
• Scoped to specific workspaces

composer.json Configuration

Add Private Packages as a repository in your composer.json:

{
    "repositories": [
        {
            "type": "composer",
            "url": "https://{{workspace-slug}}.private-packages.com"
        }
    ]
}

Note: Replace {{workspace-slug}} with your workspace slug.

Then authenticate using your token (see Tokens for details).

Multi-Tenancy

Private Packages supports multiple workspaces within a single account:

• Use Case: Freelance developers working with multiple agencies
• Isolation: Each workspace has its own packages and tokens
• Billing: Workspaces are billed separately
• Management: Easy switching between workspaces

Security

Two-Factor Authentication

Supply Chain Security

We have chosen to make 2FA mandatory. 2FA is critical to prevent unauthorized access. If someone would gain access to your account, they could create malicious releases, effectively launching a supply chain attack that compromises all projects using your packages.

Users are required to enable 2FA for enhanced account security, protecting:

• Login access
• Sensitive license information
• Workspace management
• Package integrity

What's Next?

• Follow the Getting Started guide to set up your first package
• Browse available Packages to see supported plugins and themes
• Learn about Access Tokens for Composer authentication