Permissions grant an API key access to specific entities or allow it to take specific actions in Paddle.
You can assign permissions to a key when creating or updating it.
If your key doesn't have the correct permissions, it returns a forbidden error (403).
Permission types
Each permission targets an entity, like products, customers, or transactions, and is one of two types:
entity.read
Read and list the entity, or use it with theincludeparameter. Applies toGETrequests and preview requests (POSTorPATCH).entity.write
Create, update, archive, and delete the entity. Applies toPOST,PATCH, andDELETErequests. Write permission automatically includes read.
When permissions are required
Your API key needs permissions when working with:
- Operations that access entities
Your key needs permission for any entity an operation returns or acts on. For example, listing adjustments requires theadjustment.readpermission. - Responses that use the
includeparameter
Your key needs read permission for any entity added via theincludeparameter. For example, listing prices withinclude=productrequires bothprice.readandproduct.readpermissions. - Entities that return customer portal URLs
Authenticated customer portal URLs are only returned if the key hascustomer_portal_session.write. For example, without thecustomer_portal_session.writepermission, listing subscriptions doesn't return themanagement_urlsobject containing authenticated links. - Entities populated in simulated webhooks
When simulating webhooks using real data, your API key needs permission to read the entity and any related entities included in webhook payloads but not nested in the parent. For example, creating a notification simulation withconfig.entities.subscription_idrequires thesubscription.readpermission or the request fails.
When using real data in simulated webhooks, permissions are also required for related entities to the parent entity. For example, without the transaction.read permission, related transactions for a real subscription fall back to static examples in simulated payloads.
When permissions aren't required
Your API key doesn't need permissions when working with:
- Nested entities in responses
Entities nested within a response are included regardless of permissions. For example, a transaction response contains prices in theitemsarray. These are included even if you only havetransaction.readpermission and notprice.read. - Indirectly created or updated entities
Operations that indirectly create or update entities don't require write permission for those entities. For example, creating an adjustment that updates a transaction only requiresadjustment.write, nottransaction.write. - Parent entities
You don't need permissions for a parent entity to access its child. For example, retrieving an address for a customer uses bothaddressandcustomerpath parameters, but only requiresaddress.read, notcustomer.read.
Available permissions
| Entity | Permission |
|---|---|
| Products | product.read |
| Products | product.write |
| Prices | price.read |
| Prices | price.write |
| Discounts | discount.read |
| Discounts | discount.write |
| Customers | customer.read |
| Customers | customer.write |
| Addresses | address.read |
| Addresses | address.write |
| Businesses | business.read |
| Businesses | business.write |
| Payment methods | payment_method.read |
| Payment methods | payment_method.write |
| Customer authentication tokens | customer_auth_token.write |
| Customer portal sessions | customer_portal_session.write |
| Transactions | transaction.read |
| Transactions | transaction.write |
| Subscriptions | subscription.read |
| Subscriptions | subscription.write |
| Adjustments | adjustment.read |
| Adjustments | adjustment.write |
| Pricing preview | transaction.read |
| Reports | report.read |
| Reports | report.write |
| Metrics | metrics.read |
| Events | notification.read |
| Notification settings | notification_setting.read |
| Notification settings | notification_setting.write |
| Notifications | notification.read |
| Notifications | notification.write |
| Notification logs | notification.read |
| Simulations | notification_simulation.read |
| Simulations | notification_simulation.write |
| Simulation runs | notification_simulation.read |
| Simulation runs | notification_simulation.write |
| Simulation run events | notification_simulation.read |
| Simulation run events | notification_simulation.write |
| Client-side tokens | client_tokens.read |
| Client-side tokens | client_tokens.write |
Best practices
- Follow the principle of least privilege.
Only assign the permissions a key actually needs. A key used to sync product catalog data doesn't needtransaction.write. - Create separate keys per integration or team.
Issue a distinct key per system or team so you can revoke access without affecting others. - Review and rotate keys when access requirements change.
When access requirements change, update the key rather than leaving unused permissions in place.