Composer Private Packages

The Packages section, found with Project Settings, allows you to authenticate against providers of Composer private packages.

The fields (url, username, password) are used to create a COMPOSER_AUTH environment variable.

The value of COMPOSER_AUTH is a JSON string containing http-basic auth data for each package defined.

The most common example is for Laravel Nova. For Laravel Nova, use the following:

  • url:
  • username:
  • password: some-password

Within the build server, the environment variable COMPOSER_AUTH will be set to the following (without newline characters):

    "http-basic": {
        "": {
            "username": "", 
            "password": "some-password"
        "maybe-another-package.tld": {
            "username": "", 
            "password": "some-other-password"

Note: You should not use "http(s)://" in the URL field for private packages. Chipper will remove them if you do, but let us know if you think you hit any bugs!

Satis (Laravel Spark)

Satis repositories (and in particular Laravel Spark) have a few installation methods. The method that requires extra authentication occurs when you include a repository as "just another composer package". Usually the package is a private repository, and we need to treat it like one.

In this setup, you'd define the repository within composer.json:

"repositories": [
        "type": "composer",
        "url": ""
"require": {
  "laravel/spark-aurelius": "~9.0"

For this to work within your Chipper CI pipeline, you'll need access to the private repository and a Personal Access Token from the git provider hosting the repository.

For example, within your Laravel Spark account, you can request access to the repository within the User settings > "GitHub" section, and then you can follow our documentation on setting up a Personal Access Token for cloning private repositories.

Authentication Not Working?

If you have switched from a local directory setup to using http-basic authentication for pulling in private repositories, your composer.lock file may contain outdated information.

Be sure to run composer update (or delete/recreate composer.lock) after changing to/from a local repository installation method vs http-basic installation method of a private package.

Be sure to also check our other Private Packages documentation,which includes information on what to do if you are using private repositories you control/own that don't use http-basic authentication.