API tokens

What a token is

A token is a public_key/private_key pair you put in Composer's auth.json. Composer uses them as HTTP Basic credentials when it fetches metadata or downloads a package. Each token belongs to a single project: a token from your production project cannot pull packages licensed against your staging project.

Create

1. Sign in & open Projects & Tokens
2. Pick the project. Click "Create token". Add a label (e.g. "ci-runner") so you can identify it later.
3. The private key is revealed inline once, immediately after creation. If you miss it, the token row keeps a Download auth.json link that streams a ready-to-use auth.json containing the current credentials. Treat the private key like a password: keep it out of source control and rotate it if you suspect it has leaked.
4. Paste both keys into your auth.json (see Composer setup).

Rotate

Rotate when a developer leaves, when a CI host is rebuilt, or as part of regular hygiene. Rotation generates a fresh public_key/private_key pair on the existing token row and invalidates the old keys immediately. Update auth.json on every host using the token before rotating; expect a brief 401 window for hosts that haven't deployed the new keys.

Revoke

Revoke when a token is compromised or no longer needed. The token stops authenticating immediately. A request already mid-stream when you revoke typically completes that single response; every subsequent request from the revoked token fails authentication, so the next composer install or composer update will fail with a 401 until you replace the credentials.

Project scope

Tokens are bound to a single project. A multi-project org typically has one token per project (production, staging, dev). Activate each license against the project that should be able to pull it; the token then sees only that project's entitled packages. Cross-project access requires either re-activating the license or creating a token in the other project.