Skip to main content

Use private packages

Packages that are publicly available on PyPI can be specified in your app's requirements.txt file to become available in your app as dependency, as shown here. But sometimes you might want to add a package that is only available privately (e.g. code stored on a centralized repository within the company to be reused in multiple apps). There are different options to make such a package available in a (published) app, without the need to copy the code manually into your app folder:

Git submodule

The easiest way to add an app-dependency is to copy the package code (as a sub-folder) into your app folder. A disadvantage of this approach is that if the package is maintained in a separate repository, the copied code needs to be manually updated to receive the latest additions or bugfixes. This problem can be resolved by adding the dependency as a Git submodule to your app. Obviously, this requires your app code itself to be a Git repository.

Add an existing Git repository as a submodule to your app by:

git submodule add https://my-package-repository-url app/submodules/my-package

All code, including the submodules, must reside (in a sub-folder) within the 'app' folder to be available in production.

This will copy the repository's content in a sub-folder submodules/my-package/ within your app folder, and creates a .gitmodules file in your project folder that stores the mapping between the package URL and local path.

Updating your app including all submodules can be done with:

git pull --recurse-submodules

Cloning a project including all submodules to your local hard disk can be done by:

git clone --recurse-submodules https://my-project-repository-url

All ins and outs of using Git submodules can be found on the Git website.

Publish your package on a private PyPI

Another way to make a private package available in an app is to publish it on a private PyPI. This way the code is not copied in your app, but handled as any other package dependency. Moreover, access can even be restricted by means of authentication credentials.

Examples of platforms that allow for hosting your own packages, are:

Instructions on how to host your private package on each platform can be found in the corresponding links.

The hosted package can then be added in your app's requirements.txt file, as follows:

--extra-index-url https://my-private-package-index-url

If the private package index is protected by means of authentication credentials, this can be passed using the VIKTOR_APP_SECRET environmental variable, as follows:

--extra-index-url https://MY_USER:${VIKTOR_APP_SECRET}@my-private-package-index-url

In order for VIKTOR_APP_SECRET to be available in production, the variable must be set manually on the server. Please contact with your request. This must be done after creating your app on the VIKTOR environment, but before publishing your app with the private dependency.


For security reasons, we advise against hard-coding the authentication credentials in requirements.txt, prefer to use VIKTOR_APP_SECRET instead.

Keep in mind though that when using VIKTOR_APP_SECRET as shown above, no post-processing will be performed on the variable in requirements.txt. Hence, VIKTOR_APP_SECRET can, in that case, not be used to pass any additional secrets using concatenation (VIKTOR_APP_SECRET=mysecret1;mysecret2).