PHPackages                             hryvinskyi/composer-multi-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. hryvinskyi/composer-multi-auth

ActiveComposer-plugin[Authentication &amp; Authorization](/categories/authentication)

hryvinskyi/composer-multi-auth
==============================

Composer plugin for per-package HTTP basic auth on a single repository domain

1.0.2(2mo ago)08↓50%MITPHPPHP ^8.1

Since Mar 4Pushed 2mo agoCompare

[ Source](https://github.com/hryvinskyi/composer-multi-auth)[ Packagist](https://packagist.org/packages/hryvinskyi/composer-multi-auth)[ RSS](/packages/hryvinskyi-composer-multi-auth/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependencies (2)Versions (3)Used By (0)

Composer Multi-Auth
===================

[](#composer-multi-auth)

Composer plugin that enables per-package HTTP basic authentication on a single repository domain.

Problem
-------

[](#problem)

Composer resolves HTTP basic auth by domain — one credential pair per domain in `auth.json`. When a single repository hosts packages from different vendors requiring different API keys, there's no native way to use per-package credentials.

How It Works
------------

[](#how-it-works)

The plugin reads `auth-multi.json` from your project root and:

1. **Overrides default auth** with the first rule's credentials during repository metadata discovery (so the provider listing includes all packages you need).
2. **Intercepts each download** via Composer's `PRE_FILE_DOWNLOAD` event and applies the correct credentials based on package name glob patterns.
3. **Restores default credentials** for packages that don't match any specific rule.

First matching rule wins. Use `*` as a catch-all.

Requirements
------------

[](#requirements)

- PHP 8.1+
- Composer 2.x

Installation
------------

[](#installation)

```
composer require hryvinskyi/composer-multi-auth
```

Add to `allow-plugins` in your `composer.json` if prompted:

```
{
    "config": {
        "allow-plugins": {
            "hryvinskyi/composer-multi-auth": true
        }
    }
}
```

Setup
-----

[](#setup)

On first activation the plugin automatically:

- Creates `auth-multi.json.sample` in the project root
- Adds `auth-multi.json` to `.gitignore`

Then create your config:

1. Copy the sample and fill in your keys:

```
cp auth-multi.json.sample auth-multi.json
```

2. Edit `auth-multi.json`:

```
{
    "http-basic": {
        "private.repo.example.com": {
            "rules": [
                {
                    "patterns": ["acme/*"],
                    "username": "acme-public-key",
                    "password": "acme-private-key"
                },
                {
                    "patterns": ["*"],
                    "username": "your-default-public-key",
                    "password": "your-default-private-key"
                }
            ]
        }
    }
}
```

Configuration
-------------

[](#configuration)

### auth-multi.json

[](#auth-multijson)

```
{
    "http-basic": {
        "": {
            "rules": [
                {
                    "patterns": ["", ...],
                    "username": "",
                    "password": ""
                }
            ]
        }
    }
}
```

FieldDescription`http-basic`Top-level key (matches Composer's auth.json structure)``Repository domain`rules`Ordered array of rules — first match wins`patterns`Array of glob patterns matched via `fnmatch()` (e.g., `vendor/*`, `vendor/package`)`username`HTTP basic auth username / public key`password`HTTP basic auth password / private key### Rule ordering

[](#rule-ordering)

Rules are evaluated top-to-bottom. The first rule whose patterns match the package name is used. Always place specific rules before the catch-all `*` rule.

### Catch-all rule

[](#catch-all-rule)

The catch-all rule (`"patterns": ["*"]`) should be the **last rule** and should contain your default `auth.json` credentials. This ensures packages not matching any specific rule still authenticate correctly.

**Important:** The first rule's credentials are used for repository metadata discovery (loading the package listing). Place the rule for the packages you need to discover first.

Verification
------------

[](#verification)

Run Composer with verbose output to see the plugin in action:

```
composer install -vvv
```

Look for `[multi-auth]` prefixed messages:

```
Loading plugin Hryvinskyi\ComposerMultiAuth\Plugin
[multi-auth] Loaded rules for 1 domain(s).
[multi-auth] Applying credentials for package "acme/some-package" on "private.repo.example.com".
[multi-auth] Restoring default credentials for package "other/package" on "private.repo.example.com".

```

License
-------

[](#license)

MIT

###  Health Score

39

—

LowBetter than 85% of packages

Maintenance93

Actively maintained with recent releases

Popularity6

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity43

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

2

Last Release

66d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/e254b6c28f67e639b2beb3f21a80f2b4ff9efc5ee782943d497b73523f630c1d?d=identicon)[hryvinskyi](/maintainers/hryvinskyi)

---

Top Contributors

[![hryvinskyi](https://avatars.githubusercontent.com/u/9294098?v=4)](https://github.com/hryvinskyi "hryvinskyi (2 commits)")

### Embed Badge

![Health badge](/badges/hryvinskyi-composer-multi-auth/health.svg)

```
[![Health](https://phpackages.com/badges/hryvinskyi-composer-multi-auth/health.svg)](https://phpackages.com/packages/hryvinskyi-composer-multi-auth)
```

###  Alternatives

[namshi/jose

JSON Object Signing and Encryption library for PHP.

1.8k99.6M100](/packages/namshi-jose)[gesdinet/jwt-refresh-token-bundle

Implements a refresh token system over Json Web Tokens in Symfony

70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[league/oauth2-google

Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client

41721.2M117](/packages/league-oauth2-google)[illuminate/auth

The Illuminate Auth package.

9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock

A flexible, driver based Acl package for PHP 5.4+

870304.7k2](/packages/beatswitch-lock)[amocrm/amocrm-api-library

amoCRM API Client

182728.5k6](/packages/amocrm-amocrm-api-library)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)