Upsun User Documentation

Authenticated Composer repositories

Sign up

Get your free trial by clicking the link below.

Get your Upsun free trial

Packagist is the primary Composer repository for public PHP packages. But you can also have Composer download PHP packages from a private, third-party Composer repository. To make sure Composer has the necessary credentials to do so, follow the instructions on this page.

Before you begin Anchor to this heading

You need:

  • A Upsun project using PHP and Composer
  • Credentials to access a private third-party Composer repository
  • The Upsun CLI

1. Declare a private Composer repository Anchor to this heading

To allow Composer to download packages from a private third-party repository, declare the repository in your Composer setup.

    "repositories": [
            "type": "composer",
            "url": "https://PRIVATE_REPOSITORY_URL"

2. Set up Composer authentication using a variable Anchor to this heading

To allow Composer to successfully authenticate when accessing the declared private repository, set an env:COMPOSER_AUTH variable for your project.

To do so, run the following command:

upsun variable:create --level project --name env:COMPOSER_AUTH \
  --json true --visible-runtime false --sensitive true --visible-build true \
  --value '{"http-basic": {"PRIVATE_REPOSITORY_URL": {"username": "USERNAME", "password": "PASSWORD"}}}'

The env: prefix means that the variable is exposed as its own Unix environment variable. The --visible-runtime false and --visible-build true flags mean the variable is available to Composer only during the build.

3. Clear your project’s build cache Anchor to this heading

For security reasons, make sure that the authentication credentials aren’t cached in your project’s build container. To do so, run the following command:

upsun project:clear-build-cache

Access dependencies downloaded from a private repository Anchor to this heading

When you download a dependency from a private third-party Composer repository, that dependency is usually hosted in a private Git repository. Access to private Git repositories is restricted through the use of SSH keys. But most private Composer tools mirror tagged releases of dependencies and serve them directly without hitting the Git repository. To avoid having to authenticate against a remote Git repository, make sure your dependencies specify tagged releases.

Is this page helpful?