Programmatically create and manage client-side tokens
Use new client-side token API operations and webhooks to automate your frontend integrations with Paddle.
What's new?
We've introduced new API operations and webhooks to create, fetch, list, and revoke client-side tokens, plus new webhook events to notify you when client-side tokens are created or revoked.
How it works
Paddle.js is our client-side library used to integrate Paddle on the frontend. Client-side tokens are the required method of authentication for Paddle.js. You provide client-side tokens when initializing Paddle.js.
Previously, you had to create and manage your client-side tokens through the dashboard. Now, you can create, fetch, list, and revoke client-side tokens through the Paddle API, and get notified with events when client-side tokens are created or revoked through the dashboard or the API.
Third-party integrations may also use these client-side token operations or webhooks to streamline your implementation of Paddle, support web payments through Paddle, or enable powerful new functionalities — like the RevenueCat integration. You can give API keys with Client-side token (Read) (client_token.read) and Client-side token (Write) (client_token.write) permissions to third-party integrations to enable these features.
You should only grant these permissions if they're required. Not all integrations use Paddle.js or have features that use these operations and webhooks.
Summary of changes
API operations
This is a summary of the new operations in the Paddle API:
| Method | Path | Summary |
|---|---|---|
POST | /client-tokens | Create a client-side token |
PATCH | /client-tokens/{id} | Update a client-side token |
GET | /client-tokens | List client-side tokens |
GET | /client-tokens/{id} | Get a client-side token |
Permissions
This is a summary of the new permissions available to API keys:
| Entity | Permission | Description |
|---|---|---|
| Client-side tokens | client_token.read | Allow third-party integrations to view client-side tokens. |
client_token.write | Allow third-party integrations to create client-side tokens. |
Notifications
This is a summary of the new webhook and email notification events:
client_token.created | Occurs when a client-side token is created. |
client_token.updated | Occurs when a client-side token is updated. |
client_token.revoked | Occurs when a client-side token is revoked. |
Next steps
This change is available in version 1 of the Paddle API.
It's a non-breaking change, meaning it doesn't impact existing integrations. Permissions for existing API keys haven't been updated to include client_token.read or client_token.write.
Read more about client-side tokens and Paddle.js to explore their capabilities, and more about API keys and permissions to understand how to grant access to third-party apps safely.