For AI agents and LLMs: a structured documentation index is available at /llms.txt. Every page has a Markdown sibling — append .md to any URL.

Skip to content
Docs

Rotate API keys

Keep your app secure by regularly rotating API keys when they expire or are exposed.

AI summary

Covers the four-step process for rotating Paddle API keys — creating a new key, deploying it alongside the old one, verifying activity, and revoking the old key — to maintain security without app downtime.

  • • Run old and new keys in parallel during the transition — set them as separate env vars and fall back to the old key if the new one fails.
  • • If rotating due to a security exposure, revoke the compromised key first before creating a new one — prioritize security over a smooth overlap period.
  • • There is a 60-minute grace period to reactivate an accidentally revoked key; reactivation is not possible for keys revoked due to an exposure.

API key rotation is the process of replacing existing API keys with new ones. By setting expiry dates and creating new keys before old ones expire, you can minimize the risk of API keys being compromised without disrupting your app.

Regularly rotating API keys is good practice, and helps protect your account from unauthorized access.

You can rotate keys two ways: automatically with AWS Secrets Manager, or manually by creating a new key and transitioning to it yourself. This guide covers both.

Automatic rotation with AWS Secrets Manager

If you store your Paddle API keys in AWS Secrets Manager, you can rotate them automatically on a schedule. Paddle is an official AWS Secrets Manager partner, so rotation happens inside AWS without you swapping keys by hand. This works with both live and sandbox keys, with no need to configure which environment you're using.

How automated rotation works

When AWS Secrets Manager rotates your key, Paddle automatically:

  1. Generates a new secret for your API key. It's shared with AWS Secrets Manager but isn't active yet.
  2. Activates the new secret the first time it's used to authenticate a request.
  3. Keeps the old secret valid for a grace period, so requests already using it keep working during the switch.
  4. Revokes the old secret once the grace period ends.

Because both secrets are valid during the grace period, your app keeps working throughout rotation with no downtime. If you need an atomic rotation for compliance reasons, you can set the grace period to 0.

Set up rotation in AWS Secrets Manager

  1. Create a rotatable API key in Paddle.
  2. Store the key as a secret in AWS Secrets Manager.
  3. Enable rotation for the secret and select Paddle as the rotation integration. See the AWS Secrets Manager rotation guide for the exact steps in the AWS console.

How rotation affects expiry

Rotating a key extends its expiry. When AWS Secrets Manager rotates a key, Paddle sets the new expiry to the time of rotation, plus the number of days until the next scheduled rotation and a one-day buffer. As long as a key keeps rotating on schedule, it never reaches a fixed expiry date.

Because expiry is tied to the rotation schedule, keep the two aligned:

  • Rotate as soon as you store the key in AWS Secrets Manager.
    This is a native part of the Secrets Manager setup. An immediate rotation aligns the expiry with your rotation schedule right away, and sets an expiry if the key doesn't have one yet.
  • Rotate immediately if you make rotations less frequent.
    If you increase the rotation interval in AWS Secrets Manager, run an immediate rotation so the expiry realigns. Shortening the interval doesn't require this, but it doesn't hurt.
  • Don't edit the expiry in the Paddle dashboard.
    If you change it manually, run an immediate rotation so AWS Secrets Manager can realign it.

Manual rotation

You can build your own workflow to rotate API keys manually in the Paddle dashboard. This is useful if you don't want to use AWS Secrets Manager or if you need more control over the rotation process.

Before you begin

When you receive an api_key.expiring or api_key.revoked webhook, you should rotate your API key as soon as possible.

Overview

Rotating your API keys follows this workflow:

  1. Create a new API key
    Grab a new key immediately or before the current one expires.
  2. Store and use the new key
    Transition to using the new key in your app.
  3. Check API key activity
    Verify the new key works and the old key is no longer used.
  4. Revoke the old key
    Stop the old key from working and remove it.

Use an AI agent

Use these prompts with an AI agent to set up key rotation, react to webhooks, or respond to an exposure.

Create a new API key

When you receive an api_key.expiring or api_key.revoked webhook, you should create a new API key as soon as possible. Plan for an overlap period between old and new keys to allow for a smooth transition without disruption to your app.

When creating a new API key:

  • Assign the same permissions as the current key.
  • Set an appropriate expiry date.
  • Add a descriptive name that includes its purpose, team if applicable, and expiry date for easier management.

Store and use the new API key

Store the key safely and replace the old key in all places where your app uses it.

Store both your new and old API keys so they're available at the same time. Set up your code to try the new key first, but use the old key as a backup if anything goes wrong.

  1. Create a new ACTIVE_PADDLE_KEY and OLD_PADDLE_KEY environment variable or key in your key management system.
  2. Set the new key as ACTIVE_PADDLE_KEY.
  3. Move the old key to OLD_PADDLE_KEY temporarily.
  4. Update your code to use either ACTIVE_PADDLE_KEY or OLD_PADDLE_KEY as the Paddle API key.

This means your app keeps working during the switch, allows testing the new key in real conditions, and provides a fallback if the new key causes problems.

Node.js
const ACTIVE_PADDLE_KEY = process.env.ACTIVE_PADDLE_KEY || process.env.OLD_PADDLE_KEY;
Python
ACTIVE_PADDLE_KEY = os.getenv("ACTIVE_PADDLE_KEY") or os.getenv("OLD_PADDLE_KEY")
PHP
$activePaddleKey = getenv("ACTIVE_PADDLE_KEY") ?: getenv("OLD_PADDLE_KEY");
Go
activePaddleKey := os.Getenv("ACTIVE_PADDLE_KEY")
if activePaddleKey == "" {
activePaddleKey = os.Getenv("OLD_PADDLE_KEY")
}

Check API key activity

After updating your app to use the new key, check that:

  • The new key is working properly
    Test the integration to verify that requests using the new API key are successful. Look at logs, errors, latency, and other metrics to ensure the new key is working properly.
  • The old key is no longer being used
    Check the last used date of the old API key in Paddle > Developer Tools > Authentication. If the date hasn't changed since the update, it indicates that the old key is no longer being used anywhere in your app.

Revoke the old key

Once you've verified that your app is successfully using the new key and the old key is no longer in use, you can safely revoke the old API key instead of waiting for it to expire.

Keep checking your logs to ensure there are no errors upon revoking the old key.

If everything is working as expected, you can safely remove the old key from your key management system, environment variables, or any other places where it's stored. This includes the value of the OLD_PADDLE_KEY if you opted to use two keys simultaneously when switching.

Was this page helpful?