Assign client-side token permissions to API keys

What's new?

We've introduced new permissions that allow API keys to manage client-side tokens, unlocking more powerful automation and workflows for third-party integrations.

How it works

Paddle.js is our client-side library used to integrate Paddle on the frontend. Client-side tokens are the mandatory method of authentication for Paddle.js. You provide client-side tokens when initializing Paddle.js.

Many third-party integrations use Paddle.js to streamline your implementation of Paddle, support web payments through Paddle, or enable powerful new functionalities — like the RevenueCat integration.

Third-party integrations are installed with API keys. You can assign permissions to each key to limit what access a trusted partner has to your account. Now, you can assign the following new permissions:

• Client-side token (Read) - client_token.read
• Client-side token (Write) - client_token.write

This enables a supported integration to automate the installation and setup of Paddle.js features on your behalf by creating and managing its own client-side tokens through the Paddle API.

Client-side token API operations are only available to a select few integration partners while in early access. They're planned for public release soon.

You should only grant these permissions if an integration's documentation explicitly states that they are required. Not all integrations use Paddle.js or support this feature.

Permissions

This is a summary of the new permissions available to API keys:

Next steps

This change is available in version 1 of the Paddle API.

It's a non-breaking change, meaning it doesn't impact existing integrations.

Read more on client-side tokens and Paddle.js to explore their capabilities, and more on API keys and permissions to understand how to provision access to third-party apps safely.

Learn more