# Composer HTTP Basic Authentication

Many paid WordPress plugins also offer Composer support. Typically, this is accomplished by adding the plugin repository to your composer.json file:

"repositories": [

The actual plugin download is protected behind a basic HTTP authentication layer. This allows the plugin developer to restrict access to the plugin via Composer by a username/password combination. The basic authentication credentials are stored in an auth.json file.

    "http-basic": {
        "example.com": {
            "username": "{COMPOSER_HTTP_USERNAME}",
            "password": "{COMPOSER_HTTP_PASSWORD}"

However, when using such plugins in a Trellis project, it is generally considered bad practice to implement this via deploy hooks (opens new window) or adding the auth.json to your version control.

Trellis now supports HTTP basic authentication for multiple Composer repositories, via the Ansible Vault (opens new window) functionality, on a per environment configuration.

# group_vars/<env>/vault.yml

      - { hostname: example.com, username: COMPOSER_HTTP_USERNAME, password: COMPOSER_HTTP_USERNAME }

Multiple private Composer repositories can be configured in this way.

This functionality does have a few requirements

  • The passwords should not be stored as plain text, as described in the Vault (opens new window) documentation
  • The password cannot be null, or an empty string
  • Currently, only HTTP basic authentication is supported

Page authors:

Ben Word
Jonathan Bossenger
Sponsor us on GitHub to help us grow 🌱