> For the complete documentation index, see [llms.txt](https://developer.paddle.com/llms.txt).

# Rotate API keys automatically with AWS Secrets Manager

Paddle now integrates with AWS Secrets Manager so you can rotate API keys automatically on a schedule, with no manual key swaps and no downtime.

---

## What's new?

You can now rotate your Paddle API keys automatically with [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html). Paddle is an official AWS Secrets Manager partner, so you can keep your API credentials fresh on a schedule without manually creating and swapping keys.

## How it works

When you create an API key in **Paddle > Developer Tools > Authentication**, you'll now see a **Rotatable** option. Mark a key as [rotatable](https://developer.paddle.com/api-reference/about/authentication.md), store it in AWS Secrets Manager, and enable rotation, and AWS rotates it for you on your chosen schedule. This works with both your live and sandbox API keys.

During rotation, Paddle generates a new secret and keeps the old one valid for a short grace period, so your app keeps working with no downtime while the new secret takes over. Once the grace period ends, the old secret is revoked.

This means you can:

- Automate key rotation instead of manually creating and revoking keys.
- Keep credentials short-lived to reduce the risk of exposure.
- Meet enterprise security requirements for regular credential rotation.

## Next steps

Rotation is available for keys created with the rotatable option. To get started:

1. [Create a rotatable API key](https://developer.paddle.com/api-reference/about/authentication.md) in Paddle.
2. [Set up automated rotation with AWS Secrets Manager](https://developer.paddle.com/api-reference/about/rotate-api-keys.md).

You can still [rotate keys manually](https://developer.paddle.com/api-reference/about/rotate-api-keys.md) at any time.

This is a non-breaking change, so it doesn't impact existing integrations.
## Summary of changes

| Name | Type | Change | Entity | Description |
| --- | --- | --- | --- | --- |
| `rotatable` | Field | added | api_key.created | Whether the API key can be rotated. Set when the key is created and can't be changed afterward. |
| `rotatable` | Field | added | api_key.updated | Whether the API key can be rotated. Set when the key is created and can't be changed afterward. |
