Installing private PHP Composer packages

Once you have signed up for a Gemfury account, you can upload Composer packages via Git, and install them into your project via composer.json.

Uploading packages

After using one of many guides on the web about creating a Composer package, you can upload your creation to Gemfury. Please make sure that your composer.json details include the name of the package.

Use the following command to add Gemfury remote repository to your package and upload the package to your account:

# Initial one-time setup
$ git remote add fury

# Push to build a new version
$ git push fury master
Username for '': <Your personal username>
Password for '': <Your personal password>

When entering the URL for your repository, username can be your account, or any of the account usernames on which you collaborate with. Package-name should be the name of your package without the vendor name – no additional slashes are permitted in the URL.

If you would like to avoid entering your credentials on every push, learn more about configuring and using Git with Gemfury.

Deleting packages

In addition to deleting packages in your account, you may want to delete the Git repository for your project at Gemfury. You can use the following CLI command:

$ fury git:reset repo-name

Manually building and uploading

If you are using an SCM other than Git, you may build your package by hand and upload it manually to Gemfury. Go to the parent directory outside of the package and run:

$ zip -r package-dir/ -x 'package-dir/.svn/*'

You can then upload the to Gemfury via the Dashboard, Gemfury CLI, or cURL.

Your secret Repository URL

The secret repository URL is the Composer endpoint for your Gemfury account and packages. Do not share this URL to keep your account private.

Your Repository URL has the following format:

Install modules via composer.json

Add your Repository-URL to the list of repositories in your composer.json. As described in the Composer manual, repositories option can only be applied to a root package:

  "repositories": [{
    "type": "composer",
    "url": ""

  "require": {
    "user/package-name": ">= 1.0.0"

Test it out by running:

$ composer install

Keeping your credentials separate & secure

Although the method described above is the simplest, we strongly recommend that you do not keep secret tokens in your composer.json nor commit them into your SCM. Instead, we encourage you to store your Composer credentials in a separate configuration file.

To use this method, create auth.json in your COMPOSER_HOME or the root directory of your project. This will be done individually by each developer, so be sure to include this file in your .gitignore or equivalent:

  "http-basic": {
    "": {
      "username": "your-secret-token",
      "password": ""

Now you can safely commit your private repo configuration into composer.json:

  "repositories": [
    { "type": "composer", "url":  "" }


You can choose between explicit or tag-based versioning modes for building your package by either specifying or omitting the version property in your composer.json.

  • Explicit versioning will build your package from the tip of the pushed master branch and use the version specified in your composer.json file.
  • To enable tag-based versioning, remove the version property from your composer.json and Gemfury will version your package using your Git tags.