Loading... Background job is running.

API Documentation

Client Library

We provide a php client for the Private Packagist API. The client handles authentication, signature generation and access to all endpoints.

Run composer require private-packagist/api-client php-http/guzzle6-adapter to install the client.

Basic usage

$client = new \PrivatePackagist\ApiClient\Client();
$client->authenticate('api-token', 'api-secret');
$packages = $client->packages()->all();

Authentication

The Private Packagist API supports token based authentication. All API tokens are bound to a specific Private Packagist organization. You can create API tokens in your organization settings under API access.

Supported Headers

The API expects a PACKAGIST-HMAC-SHA256 Authorization header to be present for every request.

Authorization: PACKAGIST-HMAC-SHA256
Key=ffce048835c6cdea47bc,
Timestamp=1522925488,
Cnonce=zjmfNVePGWoYksX/NJqnemb0g2dH30X3gu22JXqadZ0exBJsQZrC1xNYo10jyC6E,
Signature=QXnRNGuXMOzd/dBnk1mbSUsA2M6ablgY+9y5/o/dIg4=

The required values are:

  • [Required] Key: Api token
  • [Required] Timestamp: The time stamp in seconds passed by the API caller, that is, the seconds of the time from January 1, 1970 until now. The time stamp is valid within 15 seconds.
  • [Required] Cnonce: The UUID generated by the API caller. This header is used with the time stamp to prevent replay.
  • [Required] Signature: Signature string. See below

Signature Verification

The signature calculation procedure is as follows:

Organize the strings involved in the signature calculation

$params = [
    'timestamp' => $time,
    'cnonce' => $nonce,
    'key' => $apiToken,
];

if ($content) {
    $params['body'] => $content;
}

uksort($params, 'strcmp');

$stringToSign =
            $request->getMethod() . "\n" // all caps
            . $request->getHost() . "\n" // api host
            . $request->getPath() . "\n"
            . http_build_query($params, null, '&', PHP_QUERY_RFC3986);

Each letter of the HTTPMethod value must be capitalized. The body must only be set if the request body is not empty.

Calculate the signature

$signature = base64_encode(
    hash_hmac('sha256', $stringToSign, $secret, true)
);

Pass the signature

The base64 encoded hash must be sent for every request with the Authorization header.

Authentication and signature errors

HTTP 401

The API token sent with the Authorization header is invalid or missing.

HTTP 400

The signature validation sent with the Authorization header is invalid. Issues may be:

  • "Request must contain a signature.": Signature value is missing or empty
  • "Request must contain a timestamp.": Timestamp value is missing or empty
  • "Timestamp is beyond the +-15 second difference allowed.": Timestamp value is not valid.
  • "Invalid signature": Signature value does not match expected value

Api Endpoints

Generating OpenAPI documentation...