Private Packagist

Working with Amasty's new Project-Based Access Keys

Steven Rombauts

3 min read

Amasty recently announced that starting January 1, 2026, they will be discontinuing global Composer access keys generated in the "Products" tab of customer accounts. Instead, they're moving to project-specific access keys that provide better security and cleaner dependency management by tying Composer access directly to individual projects rather than account-wide access. This change addresses common issues like version conflicts between projects, security risks from broadly scoped keys, and complications with license management across multiple client projects.

If you're using Amasty packages for more than one client project in your Private Packagist organization, you can easily adapt to this change by creating suborganizations and separate mirrored repositories to maintain the same level of organization and security that Amasty is now providing.

If you are already using suborganizations, but currently use a single credential for Amasty across your suborganizations, you can define individual Amasty credentials in each suborganization instead.

Setting Up Project-Based Access with Suborganizations

The most effective way to mirror Amasty's new project-based approach in Private Packagist is to create a suborganization for each of your projects. Suborganizations are additional Composer repositories in an organization with their own URL, authentication tokens, and a separate list of packages. They allow you to select which mirrored third-party repositories, shared organization packages, and credentials can be used in a Composer project.

We’ll walk you through the configuration below.

Create a Suborganization for your Project

Organization owners and admins can create suborganizations through the Private Packagist interface:

  • Navigate to the suborganizations page in your organization
  • Click "Create Suborganization"
Create a new suborganization

You can also create suborganizations programmatically using the Private Packagist API through the API client.

Create a new Credential

The next step is adding your new in-project Composer access key to your suborganization, so it can be used to access Amasty’s Composer repository. Navigate to the “Credentials” page in the “Settings” tab of your new suborganization, and add these details to the form:

  • Authentication type: Magento Third Party Public Key/Private Key
  • Domain: composer.amasty.com
  • Public Key: Your Amasty project's public key
  • Private Key: Your project's private key
Add your in-project Amasty credentials

Add a mirrored repository

Create a new mirrored third-party repository in your suborganization settings. Go to the “Mirroring” section and click on the “Add Mirrored Repository” button. Enter the Amasty Composer repository URL (https://composer.amasty.com/community/ or https://composer.amasty.com/enterprise) and select the credentials you just created for authentication. 

You can configure the repository to automatically mirror packages when they're requested through Composer commands, or manually add specific packages as needed.

Configure your new mirrored repository to use the in-project credentials

Configure Access

Make sure the right people on your team have access to this new suborganization.  Go to the “Teams” page of the suborganization to give access to one or more teams, or add individual members by clicking the “Manage collaborators” button next to the special “Suborganization Collaborators” team. 

Give your teams and members access to the suborganization

Add the suborganization repository to your Composer project

That’s it! Your suborganization is ready for use. Configure your Composer project by adding the repository for this suborganization and setting up authentication, just like you did with your main Private Packagist organization. You can find the step-by-step instructions on the “Overview” page of your suborganization. 

Managing Multiple Projects

If you work with multiple clients or maintain several projects with different Amasty license requirements, create separate suborganizations for each. This mirrors Amasty's new project-based approach while giving you the additional benefits of Private Packagist's package management and security features.

Each suborganization can have its own:

  • Set of Amasty packages based on the products assigned to that project
  • Team members and access permissions
  • Authentication tokens for CI/CD environments

Next Steps

Before Amasty's January 1, 2026 deadline, review your current Amasty package usage and plan your suborganization structure. If you're already using Private Packagist suborganizations, you can simply replace the credentials for your Amasty mirrored repositories with the new in-project access keys. If you're new to suborganizations, this change provides an excellent opportunity to improve your project organization and security.

If you have any questions or need help with this new approach, get in touch via contact@packagist.com or the support chat.