Skip to content

Composer HTTP Basic Authentication

Many paid WordPress plugins also offer Composer support. Typically, this is accomplished by adding the plugin repository to your composer.json file:

"repositories": [

The actual plugin download is protected behind a basic HTTP authentication layer. This allows the plugin developer to restrict access to the plugin via Composer by a username/password combination. The basic authentication credentials are stored in an auth.json file.

    "http-basic": {
        "": {
            "username": "{COMPOSER_HTTP_USERNAME}",
            "password": "{COMPOSER_HTTP_PASSWORD}"

However, when using such plugins in a Trellis project, it is generally considered bad practice to implement this via deploy hooks or adding the auth.json to your version control.

Trellis now supports HTTP basic authentication for multiple Composer repositories, via the Ansible Vault functionality, on a per environment configuration.

# group_vars/<env>/vault.yml

      - { hostname:, username: COMPOSER_HTTP_USERNAME, password: COMPOSER_HTTP_USERNAME }

If the private repository doesn't use a password (because the username contains an API key for example), you'll need to omit password like this:

# group_vars/<env>/vault.yml

      - { hostname:, username: apikey }

Multiple private Composer repositories can be configured in this way.

This functionality does have a few requirements:

  • The passwords should not be stored as plain text, as described in the Vault documentation
  • Currently, only HTTP basic authentication is supported


Last updated

Support Roots

Help us continue to build and maintain our open source projects. We’re a small team of independent developers and every little bit helps.

Sponsor Roots on GitHub