Strengthen your integration security with enhanced API keys

API keys now have a new standardized format, improved security features, and better management options — including permissions and expiry dates.

What's new?

We've upgraded API keys with enhanced security features and management capabilities that make your integration more secure.

Illustration of the authentication screen in Paddle. It shows the API keys tab. There's a list of API keys with their name, status, last used date, permissions, expiry date, and created date for each. There is a button to create and an action menu with three dots for each key.

Previously, API keys were simple 50-character strings with no built-in information about their environment or purpose. Keys had unlimited lifespans and full access to all data on your account. With this release, API keys:

  • Follow a standardized format that identifies their environment with live_ or sdbx_.
  • Are only visible when created.
  • Can be assigned specific permissions to control access.
  • Can expire to enforce regular rotation.
  • Show when they were last used, helping you identify inactive keys and suspicious activity.
  • Can be easily managed through a redesigned dashboard page.

How it works

API keys are now identified by a new format:

When creating or editing an API key, select granular permissions to control which entities and operations the API key can access.

Setting an expiration date for the API key enforces regular rotation. This defaults to 90 days. The new api_key.expiring and api_key.expired events enable subscription to notifications for when API keys are expiring and expired, allowing you to build workflows to rotate keys and minimize disruption before they expire.

You can create multiple API keys with different permissions and expiry dates to give you more control over who has access to your data and for how long.

API keys can only be viewed once upon creation and must immediately be stored securely.

After using an API key, the last used date appears as Last Used in the list of API keys at Paddle > Developer Tools > Authentication.

Summary of changes

Notifications

This is a summary of the new webhook and email notification events:

api_key.createdOccurs when an API key is created.
api_key.updatedOccurs when an API key is updated.
api_key.expiringOccurs when an API key expires in seven days.
api_key.expiredOccurs when an API key has expired.
api_key.revokedOccurs when an API key is revoked.

Permissions

This is a summary of the new permissions available to API keys:

EntityPermissionDescription
Products product.readView products and include product data in API responses.
product.writeCreate new products and modify existing product information.
Prices price.readView prices and include price data in API responses.
price.writeCreate new prices and modify existing price information.
Discounts discount.readView discounts and include discount data in API responses.
discount.writeCreate new discounts and modify existing discount information.
Customers customer.readView customers, including credit balances, and include customer data in API responses.
customer.writeCreate new customers and update existing customer information.
Addresses address.readView customer addresses and include address data in API responses.
address.writeCreate and update customer addresses.
Businesses business.readView customer businesses and include business data in API responses.
business.writeCreate and update customer businesses.
Payment methods payment_method.readView saved payment methods for customers.
payment_method.writeDelete payment methods for customers.
Customer authentication tokenscustomer_auth_token.writeGenerate authentication tokens for customers.
Customer portal sessionscustomer_portal_session.writeCreate new customer portal sessions for customers to manage their subscriptions, payment methods, and more.
Transactions transaction.readView transactions, preview transactions, access invoices, and include transaction data in API responses.
transaction.writeCreate, update, and revise transactions, and update payment methods.
Subscriptions subscription.readView subscription information and preview subscription updates and charges.
subscription.writeCreate one-time charges, update subscriptions, and manage subscription status.
Adjustments adjustment.readView adjustments and credit notes for transactions.
adjustment.writeCreate new adjustments for transactions.
Pricing previewtransaction.readPreview prices based on different parameters.
Reports report.readView and download report data.
report.writeCreate new reports.
Eventsnotification.readView event history and include event data in API responses.
Notification settings notification_setting.readView settings for notifications.
notification_setting.writeCreate, update, and delete notification settings.
Notifications notification.readView sent notifications.
notification.writeReplay notifications.
Notification logsnotification.readView notification delivery logs.
Simulations notification_simulation.readView notification simulations.
notification_simulation.writeCreate and modify notification simulations.
Simulation runs notification_simulation.readView runs for notification simulations.
notification_simulation.writeCreate a run for a notification simulation.
Simulation run events notification_simulation.readView events within a run for a notification simulation.
notification_simulation.writeReplay events within a run for a notification simulation.

Next steps

This change is live in v1 of the Paddle API. Existing API keys created before May 6, 2025 are now considered legacy API keys.

Legacy API keys continue to work without disruption, with no set timeline for deprecation.

We still recommend you migrate to the new API keys as soon as possible. Check the permissions reference to understand which permissions are needed for the requests you make, and assign those permissions to the API key when creating it.

Related pages