|
| 1 | +# Composer Authentication |
| 2 | +## |
| 3 | + |
| 4 | +Running Composer commands against Private Packagist always requires authentication. |
| 5 | + |
| 6 | +## Different types of tokens |
| 7 | +Three different types of authentication tokens can be used to access Private Packagist. |
| 8 | + |
| 9 | +### User access token |
| 10 | +Every user has their own token that they can access either on the profile page or on the overview page of their organizations. |
| 11 | +The token grants the user access to all organizations and subrepositories they are a member of. |
| 12 | + |
| 13 | +### Organization authentication tokens |
| 14 | +Admins and owners of an organization can create additional tokens on the organization settings page. |
| 15 | +Organization authentication tokens are ideal for automated systems like your CI environment or deployments. |
| 16 | + |
| 17 | +If your organization uses subrepository then you can also create additional tokens in subrepositories. |
| 18 | +Tokens created in the organization settings do not grant you access to any of your subrepositories and tokens created in |
| 19 | +a subrepository only grant you access to the subrepository the token was created in. |
| 20 | + |
| 21 | +#### Read-only vs update tokens |
| 22 | +There are two kinds of organization authentication tokens, read-only and update tokens. |
| 23 | +Read-only tokens aren't suitable to run `composer update` as they do not allow automatic mirroring for new packages. |
| 24 | +If you need to run `composer update` then either use a token with update access or your personal access token. |
| 25 | +Please note that you will be charged for authentication tokens with update access as if they were user accounts. |
| 26 | + |
| 27 | +### Private Packagist for Vendors customer tokens |
| 28 | +Every Private Packagist for Vendors customer receives their own authentication token. |
| 29 | +The token can only be used to install packages for the matching customer URL. |
| 30 | + |
| 31 | +Please note that neither user tokens nor organization tokens can be used to install packages from a customer URL. |
| 32 | + |
| 33 | +## Token format |
| 34 | +An authentication token consists of three parts: a prefix, a 60 hexadecimal character long random part, and an eight hexadecimal character long checksum. |
| 35 | + |
| 36 | +There are currently three different prefixes: |
| 37 | +* `packagist_ort_`: Organization tokens with read-only access |
| 38 | +* `packagist_out_`: Organization tokens with update access |
| 39 | +* `packagist_uut_`: User tokens with update access |
| 40 | + |
| 41 | +This format doesn't apply to authentication tokens generated for Private Packagist for Vendors customers and older tokens that haven't been regenerated recently. |
| 42 | +These tokens only consist of the 60 hexadecimal character random part. |
| 43 | + |
| 44 | +### How to calculate the checksum |
| 45 | +To calculate the checksum of a token, calculate the CRC32 checksum using the prefix and random part, convert the number to hexadecimal |
| 46 | +and asserting that the checksum is exactly eight characters long. |
| 47 | + |
| 48 | +For example using PHP, you can use `substr(str_pad(dechex(crc32($prefix . $random)), 8, '0', STR_PAD_LEFT), 0, 8)` |
0 commit comments