Authenticated Composer repositories

Some PHP projects may need to use a private, third party Composer repository in addition to the public repository. Often, such third party repositories require authentication to download packages. These credentials shouldnโ€™t be located in the Git repository source code for security reasons.

To handle that situation, you can define a env:COMPOSER_AUTH project variable which allows you to set up authentication as an environment variable. The contents of the variable should be a JSON formatted object containing an http-basic object (see composer-auth specifications).

The advantage is that you can control who in your team has access to those variables.

Specify a third party repository in composer.json 

For this example, consider that there are several packages to install from a private repository hosted at List that repository in your composer.json file.

    "repositories": [
            "type": "composer",
            "url": ""

Set a project variable 

Set the Composer authentication by adding a project level variable called env:COMPOSER_AUTH as JSON and available only during build time.

That can be done through the Console or via the command line, like so:

platform variable:create --level project --name env:COMPOSER_AUTH \
  --json true --visible-runtime false --sensitive true --visible-build true \
  --value '{"http-basic": {"": {"username": "your-username", "password": "your-password"}}}'

The env: prefix will make that variable appear as its own Unix environment variable available by Composer during the build process. The optional --no-visible-runtime flag means the variable will only be defined during the build hook, which offers slightly better security.

Note: The authentication credentials may be cached in your project’s build container, so please make sure you clear the Composer cache upon changing any authentication credentials. You can use the platform project:clear-build-cache command.

Build your application with Composer 

Enable the default Composer build mode in your

    flavor: "composer"

In that case, Composer can authenticate and download dependencies from your authenticated repository.

Private repository hosting 

Typically, a private dependency is hosted in a private Git repository. While supports private repositories for the site itself, that doesn’t help for pulling in third party dependencies from private repositories unless they have the same SSH keys associated with them.

Fortunately, most private Composer tools (including Satis, Toran Proxy, and Private Packagist) mirror tagged releases of dependencies and serve them directly rather than hitting the Git repository. As long as your dependencies specify tagged releases, there should be no need to authenticate against a remote Git repository and there should be no authentication issue.