diff --git a/lib/datasource/packagist.js b/lib/datasource/packagist.js
index 09f3fb2a73d2b96d09fda9e695a608472c731707..9f67fd8370da4bf38d964dbe9eb13f1adbf67804 100644
--- a/lib/datasource/packagist.js
+++ b/lib/datasource/packagist.js
@@ -11,7 +11,7 @@ module.exports = {
   getPkgReleases,
 };
 
-function authGot(url) {
+function getHostOpts(url) {
   const { host } = URL.parse(url);
   const opts = hostRules.find({ platform: 'packagist', host }, { json: true });
   if (opts && opts.username && opts.password) {
@@ -20,13 +20,14 @@ function authGot(url) {
     );
     opts.headers = { Authorization: `Basic ${auth}` };
   }
-  return got(url, opts);
+  return opts;
 }
 
 async function getRegistryMeta(regUrl) {
   try {
     const url = URL.resolve(regUrl, 'packages.json');
-    const res = (await authGot(url)).body;
+    const opts = getHostOpts(url);
+    const res = (await got(url, opts)).body;
     const meta = {};
     meta.packages = res.packages;
     if (res.includes) {
@@ -71,19 +72,24 @@ async function getRegistryMeta(regUrl) {
 
 async function getPackagistFile(regUrl, file) {
   const { key, sha256 } = file;
-  // Check the persistent cache
+  const fileName = key.replace('%hash%', sha256);
+  const opts = getHostOpts(regUrl);
+  if (opts.headers && opts.headers.Authorization) {
+    return (await got(regUrl + '/' + fileName, opts)).body;
+  }
   const cacheNamespace = 'datasource-packagist-files';
-  const cachedResult = await renovateCache.get(cacheNamespace, key);
+  const cacheKey = regUrl + key;
+  // Check the persistent cache for public registries
+  const cachedResult = await renovateCache.get(cacheNamespace, cacheKey);
   // istanbul ignore if
   if (cachedResult && cachedResult.sha256 === sha256) {
     return cachedResult.res;
   }
-  const fileName = key.replace('%hash%', sha256);
-  const res = (await authGot(regUrl + '/' + fileName)).body;
+  const res = (await got(regUrl + '/' + fileName, opts)).body;
   const cacheMinutes = 1440; // 1 day
   await renovateCache.set(
     cacheNamespace,
-    file.key,
+    cacheKey,
     { res, sha256 },
     cacheMinutes
   );
@@ -194,7 +200,8 @@ async function packageLookup(regUrl, name) {
         .replace('%package%', name)
         .replace('%hash%', providerPackages[name])
     );
-    const versions = (await authGot(pkgUrl)).body.packages[name];
+    const opts = getHostOpts(regUrl);
+    const versions = (await got(pkgUrl, opts)).body.packages[name];
     const dep = extractDepReleases(versions);
     dep.name = name;
     logger.trace({ dep }, 'dep');
diff --git a/test/datasource/packagist.spec.js b/test/datasource/packagist.spec.js
index 72b22f1733a5b1f33ac1971691358f84ebe095c7..e62b2628d330e7207c4d16fed4ba83470d860b58 100644
--- a/test/datasource/packagist.spec.js
+++ b/test/datasource/packagist.spec.js
@@ -13,10 +13,7 @@ describe('datasource/packagist', () => {
   describe('getPkgReleases', () => {
     beforeEach(() => {
       jest.resetAllMocks();
-      hostRules.find.mockReturnValue({
-        username: 'some-username',
-        password: 'some-password',
-      });
+      hostRules.find = jest.fn(input => input);
       global.repoCache = {};
       return global.renovateCache.rmAll();
     });
@@ -99,6 +96,10 @@ describe('datasource/packagist', () => {
       expect(res).toBeNull();
     });
     it('supports includes packages', async () => {
+      hostRules.find = jest.fn(() => ({
+        username: 'some-username',
+        password: 'some-password',
+      }));
       const packagesJson = {
         packages: [],
         includes: {