For AI agents and LLMs: a structured documentation index is available at /llms.txt. Every page has a Markdown sibling — append .md to any URL.

Skip to content
Docs

Rotate API keys automatically with AWS Secrets Manager

Paddle now integrates with AWS Secrets Manager so you can rotate API keys automatically on a schedule, with no manual key swaps and no downtime.

Tooling

  • API
  • Platform
  • Webhooks

Scheduled for

July 6, 2026

Status

Scheduled

What's new?

You can now rotate your Paddle API keys automatically with AWS Secrets Manager. Paddle is an official AWS Secrets Manager partner, so you can keep your API credentials fresh on a schedule without manually creating and swapping keys.

How it works

When you create an API key in Paddle > Developer Tools > Authentication, you'll now see a Rotatable option. Mark a key as rotatable, store it in AWS Secrets Manager, and enable rotation, and AWS rotates it for you on your chosen schedule. This works with both your live and sandbox API keys.

During rotation, Paddle generates a new secret and keeps the old one valid for a short grace period, so your app keeps working with no downtime while the new secret takes over. Once the grace period ends, the old secret is revoked.

This means you can:

  • Automate key rotation instead of manually creating and revoking keys.
  • Keep credentials short-lived to reduce the risk of exposure.
  • Meet enterprise security requirements for regular credential rotation.

Next steps

Rotation is available for keys created with the rotatable option. To get started:

  1. Create a rotatable API key in Paddle.
  2. Set up automated rotation with AWS Secrets Manager.

You can still rotate keys manually at any time.

This is a non-breaking change, so it doesn't impact existing integrations.

Summary of changes

api_key.created

Webhook event
  • + Added Field rotatable

    Whether the API key can be rotated. Set when the key is created and can't be changed afterward.

api_key.updated

Webhook event
  • + Added Field rotatable

    Whether the API key can be rotated. Set when the key is created and can't be changed afterward.

Was this page helpful?