Packagist is the default package repository for Composer, the PHP dependency manager. It indexes over 454,000 open-source PHP packages — versions, dependencies, maintainers, download statistics, security advisories — and exposes them through a free public HTTP API plus a high-throughput static Composer v2 metadata mirror at repo.packagist.org. Packagist is MIT-licensed open source (composer/packagist on GitHub) and is operated by the Composer team, with funding from Private Packagist (the commercial hosted/self-hosted sibling product at packagist.com) and infrastructure sponsorships from Bunny.net and Aikido. Together with the Composer CLI, the SemVer library, the SPDX licenses helper, and the Satis static repository generator, Packagist anchors PHP's modern software supply chain.
URL: Visit APIs.json
Run: Capabilities Using Naftiko
- Composer, PHP, Package Registry, Dependency Management, Open Source, Developer Tools, Software Supply Chain, Security Advisories
- Created: 2026-05-25
- Modified: 2026-05-25
| Metric | Value |
|---|---|
| Packages | 454,128 |
| Versions | 5,581,369 |
| Installs (since 2012-04-13) | 181,926,268,159 |
Source: packagist.org/statistics.
The Packagist API exposes the public PHP Composer package registry. Read endpoints (list, search, popular, package detail, Composer v2 metadata, change feed, statistics, security advisories) are anonymous; write endpoints (create-package, edit-package, update-package) authenticate with SAFE or MAIN API tokens via Bearer username:apiToken. Static Composer v2 metadata is served from a separate high-throughput mirror at repo.packagist.org.
Human URL: https://packagist.org/apidoc
Base URLs:
https://packagist.org— application API (search, package detail, statistics, security advisories, writes)https://repo.packagist.org— static Composer v2 metadata mirror
Operations:
| Method | Path | Description |
|---|---|---|
| GET | /packages/list.json |
List packages, optionally filtered by vendor or type |
| GET | /search.json |
Search packages by name, tag, type |
| GET | /explore/popular.json |
Top packages by weekly downloads |
| GET | /packages/{vendor}/{package}.json |
Full package payload (12-hour cache) |
| GET | /p2/{vendor}/{package}.json |
Composer v2 static metadata (preferred) |
| GET | /p2/{vendor}/{package}~dev.json |
Composer v2 dev-branch metadata |
| GET | /packages/{vendor}/{package}/stats.json |
Download statistics |
| GET | /metadata/changes.json |
24-hour rolling change feed |
| GET | /statistics.json |
Registry-wide totals |
| GET | /api/security-advisories/ |
Security advisories for one or more packages |
| POST | /api/create-package |
Submit a new package (MAIN token) |
| PUT | /api/packages/{package} |
Edit package URL (MAIN token) |
| POST | /api/update-package |
Trigger re-crawl (SAFE token) |
Artifacts:
- Documentation
- OpenAPI
- JSON Schema — Package
- JSON Schema — Security Advisory
- JSON Structure — Package
- JSON-LD — Context
- Spectral Rules
- Vocabulary
- Example — Search
- Example — Get Package
- Example — Security Advisories
- Naftiko Capability — Package Discovery
- Naftiko Capability — Package Publishing
- Naftiko Capability — Registry Change Feed
- Naftiko Capability — Security Advisories
- Naftiko Capability — Download Statistics
Write endpoints accept either bearer auth or username + apiToken query/POST parameters:
Authorization: Bearer <username>:<apiToken>
Token classes:
- SAFE — readonly + metadata refresh (
update-packageonly). - MAIN — full write surface, including
create-packageandedit-package.
API tokens are managed under your Packagist profile.
Packagist publishes operational guidance instead of a fixed RPS rate limit. The defaults that matter:
- Concurrent requests: 10 to
packagist.org, 20 torepo.packagist.org. - Schedule off-peak: avoid the top of the hour (
XX:00) and midnight UTC. - Identify yourself: send a
User-Agentwith amailto=contact. - Use HTTP/2: multiplexing is strongly recommended.
- Change feed retention: the
/metadata/changes.jsonlog is retained for 24 hours — poll within that window.
See rate-limits/packagist-rate-limits.yml for the structured policy.
Packagist is the registry half of a wider Composer toolchain. The full open-source family ships under github.com/composer:
| Repository | Purpose |
|---|---|
| composer/composer | The Composer CLI / dependency resolver itself |
| composer/packagist | This registry application (MIT, "not meant for re-use") |
| composer/satis | Static Composer repository generator |
| composer/semver | SemVer parsing and constraint logic |
| composer/spdx-licenses | SPDX license list and validation |
| composer/class-map-generator | PHP class-map scanner |
| composer/ca-bundle | System CA bundle locator with Mozilla fallback |
| composer/api-surface-check | GitHub Action detecting public API surface changes |
| composer/docker | Official Composer Docker images |
| composer/getcomposer.org | getcomposer.org website sources |
- Portal
- Documentation — apidoc
- Documentation — Composer
- About
- Statistics
- GitHubOrganization
- GitHubRepository — composer/packagist
- GitHubRepository — composer/composer
- GitHubRepository — composer/satis
- License — MIT
- SignUp
- Login
- APIKeys — Profile
- Blog
- Forum — Discussions
- Issues
- Mirrors
- SecurityAdvisories — Endpoint
- SecurityAdvisories — FriendsOfPHP
- Sandbox — Private Packagist (commercial)
- Plans / Pricing
- Rate Limits
Packagist.org itself is free. The commercial sibling Private Packagist is offered as Cloud and Self-Hosted:
| Plan | Price | Notes |
|---|---|---|
| Packagist.org (Public) | Free | Unlimited public packages |
| Private Packagist Cloud (yearly) | €649/yr | 3 users + 3 suborganizations included |
| Private Packagist Cloud (monthly) | €54.08/mo | Same inclusions |
| Extra user | €15.58/mo | Beyond first 3 |
| Extra suborganization | €15.58/mo | Beyond first 3 |
| Self-Hosted | Contact sales | Air-gapped / on-prem |
A 14-day free trial and a 25% solo-user / non-profit discount are available. See plans/packagist-plans-pricing.yml and packagist.com/pricing.
FN: Kin Lane
Email: info@apievangelist.com