Auth Configuration
managing multiple credentials in your
auth.jsonfor Composer.
📑 Table of Contents
Overview
Composer uses an auth.json file to store credentials for private repositories and package hosts. You can keep multiple credentials—HTTP basic, OAuth tokens, personal access tokens, etc.—in one central file, keyed by host. This keeps your composer.json clean and your secrets out of your project manifests.
File Locations
| Context | Path |
|---|---|
| Global | Linux/macOS: ~/.composer/auth.json |
Windows: %APPDATA%\Composer\auth.json | |
| Project‑local | <project-root>/auth.json |
Tip:
- Use project‑local for project‑specific tokens (e.g., a repo‑only deploy key).
- Use global for personal access tokens you reuse across projects.
auth.json Structure
Your auth.json is a JSON object with credential types as top‑level keys. Each type maps hostnames → credential data.
{
"http-basic": { /* Basic HTTP auth */ },
"github-oauth": { /* GitHub tokens */ },
"gitlab-token": { /* GitLab PATs */ },
"bitbucket-oauth": { /* Bitbucket OAuth */ },
"bearer": { /* Bearer tokens (npm, etc.) */ }
}HTTP Basic Auth
For Composer repos that require user/pass:
"http-basic": {
"repo1.example.com": {
"username": "alice",
"password": "s3cret!"
},
"repo2.example.com": {
"username": "bob",
"password": "P@ssw0rd"
}
}GitHub OAuth
For GitHub’s API rate limits or private repos:
"github-oauth": {
"github.com": "ghp_abcd1234ABCDEFGHIJKLMNOP",
"github.enterprise.local": "ghp_enterprisetoken09876ZYXWV"
}GitLab Token
GitLab personal access tokens:
"gitlab-token": {
"gitlab.com": "glpat-ABCDEFGHIJKLMNOPQRSTU",
"git.self-hosted.local": "glpat-1234567890ABCDEFGHIJ"
}Bitbucket OAuth
Consumer key/secret pairs:
"bitbucket-oauth": {
"bitbucket.org": {
"consumer-key": "KEY12345",
"consumer-secret": "SECRET67890"
}
}Bearer Tokens
Generic bearer tokens (e.g., npm registries):
"bearer": {
"npm.pkg.github.com": "npm_abcdefghijklmnopqrstuv"
}Adding Credentials via CLI
Avoid hand‑editing—use Composer’s built‑in config command to keep JSON valid.
# 1. HTTP Basic
composer config --global http-basic.repo1.example.com alice s3cret!
composer config --global http-basic.repo2.example.com bob P@ssw0rd
# 2. GitHub OAuth
composer config --global github-oauth.github.com ghp_abcd1234ABCDEFGHIJKLMNOP
composer config --global github-oauth.github.enterprise.local ghp_enterprisetoken09876ZYXWV
# 3. GitLab Token
composer config --global gitlab-token.gitlab.com glpat-ABCDEFGHIJKLMNOPQRSTU
composer config --global gitlab-token.git.self-hosted.local glpat-1234567890ABCDEFGHIJ
# 4. Bitbucket OAuth
composer config --global bitbucket-oauth.bitbucket.org.consumer-key KEY12345
composer config --global bitbucket-oauth.bitbucket.org.consumer-secret SECRET67890
# 5. Bearer Token
composer config --global bearer.npm.pkg.github.com npm_abcdefghijklmnopqrstuvThese commands will automatically create or update your global
auth.json.
Managing Entries
List current credentials:
bashcat ~/.composer/auth.json | jq .Remove an entry:
bashcomposer config --global --unset http-basic.repo1.example.comMigrate global → project:
- Copy the relevant block from
~/.composer/auth.json. - Paste into
<project>/auth.jsonunder the same key.
- Copy the relevant block from
Best Practices
- Never commit
auth.jsonto Git. - Store least-privilege tokens (scoped to repos/services).
- Rotate tokens periodically.
- Use project‑local tokens for CI/CD pipelines.
- Document in your README if private repos require extra setup.
Troubleshooting & FAQ
Q: Composer still prompts for credentials—what gives? A:
- Check you have the correct hostname (no trailing slash, exact match).
- Verify JSON syntax (
jq . auth.json).- Ensure you’re editing the right file (
COMPOSER_HOMEvs. project).
Q: I have a GitHub token but hit API rate limits. A:
- Ensure token has
repoandread:packagesscopes.- Use a fine‑grained token for public/open‑source to reduce scope.
Q: Can I use the same token for GitHub and GitHub Enterprise? A: Yes—just add separate entries under
github-oauthwith each hostname.