Using Artifactory 5.x ?
JFrog Artifactory 5.x User Guide

Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata


Artifactory supports PHP Composer repositories on top its existing support for advanced artifact management.

Artifactory support for Composer provides:

  1. The ability to provision Composer packages from Artifactory to the Composer command line tool from all repository types.
  2. Calculation of metadata for Composer packages hosted in Artifactory local repositories.
  3. Access to remote Composer metadata repositories (Packagist and Artifactory Composer repositories) and package repositories (such as Github, Bitbucket etc..) through remote repositories which provide proxy and caching functionality.
  4. Assign access privileges according to projects or development teams.


Local Repositories

To enable calculation of Composer package metadata, set PHP Composer to be the Package Type when you create your local Composer repository.

Page Contents



Deploying Composer Packages

The Composer client does not provide a way to deploy packages and relies on a source control repository to host the Composer package code. To deploy a Composer package into Artifactory, you need to use Artifactory's REST API or the Web UI.

A Composer package is a simple archive, usually zip or a tar.gz file, which contains your project code as well as a composer.json file describing the package.


For Artifactory to index packages you upload, each package must have its version specified. There are three ways to specify the package version:

  • Include the version attribute in the package composer.json file
  • Set a composer.version property when deploying a package via REST (or on an existing package)
  • Use the version field when deploying via the UI

Remote Repositories

The public Composer repository does not contain any actual binary packages; it contains the package indexes that point to the corresponding source control repository where the package code is hosted. 

Since the majority of public Composer packages are hosted on GitHub, we recommend creating a Composer remote repository to serve as a caching proxy for, specifying as the location of the public package index files. A Composer remote repository in Artifactory can proxy and other Artifactory Composer repositories for index files, and version control systems such as GitHub or BitBucket, or local Composer repositories in other Artifactory instances for binaries.

Composer artifacts (such as zip, tar.gz files) requested from a remote repository are cached on demand. You can remove the downloaded artifacts from the remote repository cache, however you can not manually deploy artifacts to a remote repository.

To define a remote repository to proxy as well as the public Composer Packagist repository follow the steps below:

  1. Create a new remote repository and set PHP Composer to be its Package Type
  2. Set the Repository Key, and enter the repository URL (e.g. in the URL field as displayed below
  3. In the Composer Settings  section, select GitHub as the Git Provider, and leave the leave the default Registry URL (e.g. 
  4. Finally, click "Save & Finish"

URL vs. Registry URL

To avoid confusion, note that:

URL is the URL of your Git provider where the actual package binaries are hosted.

Registry URL is the URL where the package index files holding the metadata are hosted.

To proxy a public Composer registry, set the Registry URL field to the location of the index files as displayed above. To proxy a Composer repository in another Artifactory instance, set both the URL field and the Registry URL field to the remote Artifactory repository's API URL. For example:


Using the Composer command line

Once the Composer client is installed, you can access Composer repositories in Artifactory through its command line interface.

Composer repositories must be prefixed with api/composer in the path

When accessing a Composer repository through Artifactory, the repository URL must be prefixed with api/composer in the path. This applies to all Composer commands including composer install.

For example, if you are using Artifactory standalone or as a local service, you would access your Composer repositories using the following URL:

http://localhost:8081/artifactory/api/composer/<repository key>

Or, if you are using Artifactory SaaS, the URL would be:

https://<server name><server name>/api/composer/<repository key>


Once you have created a Composer repository, you can select it in the Tree Browser and click Set Me Up to get code snippets you can use to set your Composer repository URL in your config.json file.


Composer config.json file

Windows: %userprofile%\.composer\config.json
Linux: ~/.composer/config.json

Replacing the Default Repository

You can change the default repository specified for the Composer command line in the config.json file as follows:

    "repositories": [
            "type": "composer",
            "url": "https://localhost:8081/artifactory/api/composer/composer-local"},
            "packagist": false

Working with a secure URL (HTTPS) is considered a best practice, but you may also work with an insecure URL (HTTP) by setting the secure-http configuration to false:

    "config": {
         "secure-http" : false
    "repositories": [


In order to authenticate the Composer client against your Artifactory server, you can configure Composer to use basic authentication in your auth.json file as follows:

    "http-basic": {
        "localhost": {
            "username": "mikep",
            "password": "APBJ7XgkrigBzb2XKTuwgnRq5vc"

Composer auth.json file

Windows: %userprofile%\.composer\auth.json
Linux: ~/.composer/auth.json

Once the Composer command line tool is configured, every composer install command will fetch packages from the Composer repository specified above. 

Cleaning Up the Local Composer Cache

The Composer client saves caches of packages that were downloaded, as well as metadata responses.
We recommend removing the Composer caches (both packages and metadata responses) before using Artifactory for the first time, this is to ensure that your caches only contain elements that are due to requests from Artifactory and not directly from Packagist. To clear your Composer cache, run the following command:

Clean the Composer cache
composer clear-cache

composer.lock file

In your project directory already has a composer.lock file that contains different 'dist' URLs (download URLs) than Artifactory, you need to remove it, otherwise, when running the composer install command, the composer client will resolve the dependencies using the composer.lock file URLs

Viewing Individual Composer Package Information

Artifactory lets you view selected metadata of a Composer package directly from the UI.
In the Artifacts tab, select Tree Browser and drill down to select the package archive file you want to inspect. The metadata is displayed in the Composer Info tab.

  • No labels