Auth Configuration
managing multiple credentials in your
auth.json
for Composer.
📑 Table of Contents
Overview
Composer uses an auth.json
file to store credentials for private repositories and package hosts. You can keep multiple credentials—HTTP basic, OAuth tokens, personal access tokens, etc.—in one central file, keyed by host. This keeps your composer.json
clean and your secrets out of your project manifests.
File Locations
Context | Path |
---|---|
Global | Linux/macOS: ~/.composer/auth.json |
Windows: %APPDATA%\Composer\auth.json | |
Project‑local | <project-root>/auth.json |
Tip:
- Use project‑local for project‑specific tokens (e.g., a repo‑only deploy key).
- Use global for personal access tokens you reuse across projects.
auth.json
Structure
Your auth.json
is a JSON object with credential types as top‑level keys. Each type maps hostnames → credential data.
{
"http-basic": { /* Basic HTTP auth */ },
"github-oauth": { /* GitHub tokens */ },
"gitlab-token": { /* GitLab PATs */ },
"bitbucket-oauth": { /* Bitbucket OAuth */ },
"bearer": { /* Bearer tokens (npm, etc.) */ }
}
HTTP Basic Auth
For Composer repos that require user/pass:
"http-basic": {
"repo1.example.com": {
"username": "alice",
"password": "s3cret!"
},
"repo2.example.com": {
"username": "bob",
"password": "P@ssw0rd"
}
}
GitHub OAuth
For GitHub’s API rate limits or private repos:
"github-oauth": {
"github.com": "ghp_abcd1234ABCDEFGHIJKLMNOP",
"github.enterprise.local": "ghp_enterprisetoken09876ZYXWV"
}
GitLab Token
GitLab personal access tokens:
"gitlab-token": {
"gitlab.com": "glpat-ABCDEFGHIJKLMNOPQRSTU",
"git.self-hosted.local": "glpat-1234567890ABCDEFGHIJ"
}
Bitbucket OAuth
Consumer key/secret pairs:
"bitbucket-oauth": {
"bitbucket.org": {
"consumer-key": "KEY12345",
"consumer-secret": "SECRET67890"
}
}
Bearer Tokens
Generic bearer tokens (e.g., npm registries):
"bearer": {
"npm.pkg.github.com": "npm_abcdefghijklmnopqrstuv"
}
Adding Credentials via CLI
Avoid hand‑editing—use Composer’s built‑in config
command to keep JSON valid.
# 1. HTTP Basic
composer config --global http-basic.repo1.example.com alice s3cret!
composer config --global http-basic.repo2.example.com bob P@ssw0rd
# 2. GitHub OAuth
composer config --global github-oauth.github.com ghp_abcd1234ABCDEFGHIJKLMNOP
composer config --global github-oauth.github.enterprise.local ghp_enterprisetoken09876ZYXWV
# 3. GitLab Token
composer config --global gitlab-token.gitlab.com glpat-ABCDEFGHIJKLMNOPQRSTU
composer config --global gitlab-token.git.self-hosted.local glpat-1234567890ABCDEFGHIJ
# 4. Bitbucket OAuth
composer config --global bitbucket-oauth.bitbucket.org.consumer-key KEY12345
composer config --global bitbucket-oauth.bitbucket.org.consumer-secret SECRET67890
# 5. Bearer Token
composer config --global bearer.npm.pkg.github.com npm_abcdefghijklmnopqrstuv
These commands will automatically create or update your global
auth.json
.
Managing Entries
List current credentials:
bashcat ~/.composer/auth.json | jq .
Remove an entry:
bashcomposer config --global --unset http-basic.repo1.example.com
Migrate global → project:
- Copy the relevant block from
~/.composer/auth.json
. - Paste into
<project>/auth.json
under the same key.
- Copy the relevant block from
Best Practices
- Never commit
auth.json
to Git. - Store least-privilege tokens (scoped to repos/services).
- Rotate tokens periodically.
- Use project‑local tokens for CI/CD pipelines.
- Document in your README if private repos require extra setup.
Troubleshooting & FAQ
Q: Composer still prompts for credentials—what gives? A:
- Check you have the correct hostname (no trailing slash, exact match).
- Verify JSON syntax (
jq . auth.json
).- Ensure you’re editing the right file (
COMPOSER_HOME
vs. project).
Q: I have a GitHub token but hit API rate limits. A:
- Ensure token has
repo
andread:packages
scopes.- Use a fine‑grained token for public/open‑source to reduce scope.
Q: Can I use the same token for GitHub and GitHub Enterprise? A: Yes—just add separate entries under
github-oauth
with each hostname.