API Documentation
Documentation
- Quick Start Guide
- Private Networks and Firewalls
- Using Private Packagist in a Composer project
- API Documentation
- Security Monitoring
- Update Review
- Synchronization FAQ
- Composer Authentication
- Centralized Authentication and SSO
- Cloud Changelog
Features
- Private Composer Packages
- Mirroring Composer Packages
- GitHub, Bitbucket, GitLab and Other Integrations
- Security Monitoring
- Update Review
- Dependency License Review
- Subrepository Setup
- Vendors: Customer Setup
Articles
Private Packagist Self-Hosted
- Self-Hosted Installation
- Maintenance
- Troubleshooting Guide
- Integration Setup
- Replicated Native (deprecated)
- Self-Hosted Changelog
Client Library
We provide a php client for the Private Packagist API. The client handles authentication, signature generation and access to all endpoints.
Run composer require private-packagist/api-client php-http/guzzle6-adapter
to install the client.
Basic usage
$client = new \PrivatePackagist\ApiClient\Client(); $client->authenticate('api-key', 'api-secret'); $packages = $client->packages()->all();
Authentication
You can authenticate with the Private Packagist API using credentials, consisting of a public key and secret, that can be created in your organization settings under API Access. All API credentials are bound to a specific Private Packagist organization.
Supported Headers
The API expects a PACKAGIST-HMAC-SHA256 Authorization header to be present for every request.
Authorization: PACKAGIST-HMAC-SHA256 Key=ffce048835c6cdea47bc, Timestamp=1522925488, Cnonce=zjmfNVePGWoYksX/NJqnemb0g2dH30X3gu22JXqadZ0exBJsQZrC1xNYo10jyC6E, Signature=QXnRNGuXMOzd/dBnk1mbSUsA2M6ablgY+9y5/o/dIg4=
The required values are:
- [Required] Key: "API key" part of your organization's API Access credentials
- [Required] Timestamp: The unix timestamp of the current time when creating the request by the API caller. The timestamp is valid within 15 seconds of the server time when the request is processed.
- [Required] Cnonce: The UUID generated by the API caller. This header is used with the time stamp to prevent replay.
- [Required] Signature: Signature string. See below
Signature Verification
The signature calculation procedure is as follows:
Organize the strings involved in the signature calculation
$params = [ 'timestamp' => $time, 'cnonce' => $nonce, 'key' => $apiToken, ]; if ($content) { $params['body'] => $content; } uksort($params, 'strcmp'); $stringToSign = $request->getMethod() . "\n" // all caps . $request->getHost() . "\n" // api host . $request->getPath() . "\n" . http_build_query($params, '', '&', PHP_QUERY_RFC3986);
Each letter of the HTTPMethod value must be capitalized. The body must only be set if the request body is not empty.
Calculate the signature
$signature = base64_encode( hash_hmac('sha256', $stringToSign, $secret, true) );
Pass the signature
The base64 encoded hash must be sent for every request with the Authorization header.
Authentication and signature errors
HTTP 401
The API token sent with the Authorization header is invalid or missing.
HTTP 400
The signature validation sent with the Authorization header is invalid. Issues may be:
- "Request must contain a signature.": Signature value is missing or empty
- "Request must contain a timestamp.": Timestamp value is missing or empty
- "Timestamp is beyond the +-15 second difference allowed.": Timestamp value is not valid.
- "Invalid signature": Signature value does not match expected value
Accessing API endpoints without generating a signature
GET requests can also use a PACKAGIST-TOKEN Authorization header using your API key without generating a signature.
Authorization: PACKAGIST-TOKEN ffce048835c6cdea47bc
Api Endpoints
Generating OpenAPI documentation...