Programmatically create and manage client-side tokens

Use new client-side token API operations and webhooks to automate your frontend integrations with Paddle.

What's new?

We've introduced new API operations and webhooks to create, fetch, list, and revoke client-side tokens, plus new webhook events to notify you when client-side tokens are created or revoked.

How it works

Paddle.js is our client-side library used to integrate Paddle on the frontend. Client-side tokens are the required method of authentication for Paddle.js. You provide client-side tokens when initializing Paddle.js.

Previously, you had to create and manage your client-side tokens through the dashboard. Now, you can create, fetch, list, and revoke client-side tokens through the Paddle API, and get notified with events when client-side tokens are created or revoked through the dashboard or the API.

Third-party integrations may also use these client-side token operations or webhooks to streamline your implementation of Paddle, support web payments through Paddle, or enable powerful new functionalities — like the RevenueCat integration. You can give API keys with Client-side token (Read) (client_token.read) and Client-side token (Write) (client_token.write) permissions to third-party integrations to enable these features.

You should only grant these permissions if they're required. Not all integrations use Paddle.js or have features that use these operations and webhooks.

Summary of changes

API operations

This is a summary of the new operations in the Paddle API:

MethodPathSummary
POST/client-tokensCreate a client-side token
PATCH/client-tokens/{id}Update a client-side token
GET/client-tokensList client-side tokens
GET/client-tokens/{id}Get a client-side token

Permissions

This is a summary of the new permissions available to API keys:

EntityPermissionDescription
Client-side tokens client_token.readAllow third-party integrations to view client-side tokens.
client_token.writeAllow third-party integrations to create client-side tokens.

Notifications

This is a summary of the new webhook and email notification events:

client_token.createdOccurs when a client-side token is created.
client_token.updatedOccurs when a client-side token is updated.
client_token.revokedOccurs when a client-side token is revoked.

Next steps

This change is available in version 1 of the Paddle API.

It's a non-breaking change, meaning it doesn't impact existing integrations. Permissions for existing API keys haven't been updated to include client_token.read or client_token.write.

Read more about client-side tokens and Paddle.js to explore their capabilities, and more about API keys and permissions to understand how to grant access to third-party apps safely.

Learn more