Rotate API keys

Rotate a Paddle API key by replacing it with a new one, transitioning traffic, verifying the new key works, and revoking the old one. The workflow: 1. Create a new API key in the Paddle dashboard under Developer Tools > Authentication. Assign the same permissions as the key you're replacing and set an appropriate expiry date. Use a descriptive name that includes the purpose and expiry. 2. Store the new key alongside the old one. Set it as ACTIVE_PADDLE_KEY and keep the old key as OLD_PADDLE_KEY in your environment variables or secret manager. Update your code to try ACTIVE_PADDLE_KEY first and fall back to OLD_PADDLE_KEY as a safety net during the transition. 3. Verify the new key by checking logs, error rates, and latency. Then confirm the old key is unused by checking its last-used date in the dashboard. 4. Revoke the old key once you're confident the new one is working everywhere. Then remove OLD_PADDLE_KEY from your environment. If you're rotating because of an exposure, revoke the exposed key first — security takes priority over a smooth transition. Keys revoked due to exposure cannot be reactivated; the 60-minute grace period only applies to manual revocations. For full details, fetch https://developer.paddle.com/api-reference/about/rotate-api-keys.md or use the paddle-docs MCP server. Ask me whether this is a proactive rotation (expiring key) or a reactive one (exposure), what language my app is in so you can show the right fallback code, and where my keys are stored (environment variables, secret manager, etc.), then walk me through the workflow.

Subscribe to Paddle webhook notifications so I'm alerted when an API key is about to expire, has expired, or has been revoked due to exposure. There are four relevant events: - api_key.expiring — fires seven days before an API key expires - api_key.expired — fires when an API key expires - api_key.revoked — fires when Paddle automatically revokes a key (usually due to exposure) - api_key_exposure.created — fires when Paddle detects a key in a public location like a GitHub repo Use the create_notification_setting tool in the Paddle MCP server. If that's not available, use the Paddle API to POST to /notification-settings with: - type: "url" for a webhook endpoint, or "email" for email delivery - destination: your webhook URL or email address - subscribed_events: the four event names above - description: a short label like "API key lifecycle alerts" If you already have a notification destination, use update_notification_setting instead. Important: when updating, send the full list of subscribed_events you want — anything omitted is unsubscribed. The create response includes an endpoint_secret_key (prefixed pdl_ntfset_). Save it immediately — you need it to verify webhook signatures, and it can't be retrieved again later. When api_key.expiring or api_key.revoked arrives, start the rotation workflow. When api_key_exposure.created arrives, treat it as urgent — revoke the exposed key and replace it. For full details, fetch https://developer.paddle.com/api-reference/about/rotate-api-keys.md or use the paddle-docs MCP server. Ask me whether I want email or URL delivery, what endpoint or email to use, and whether I'm adding to an existing destination or creating a new one, then set it up and remind me to save the secret key.

Revoke a Paddle API key that has been exposed publicly (for example, committed to GitHub, leaked in logs, or shared in chat) and deploy a replacement. Security takes priority here. Revoke the exposed key first, before worrying about a smooth transition — any in-flight requests will fail until the replacement is deployed, but that's preferable to leaving the exposure open. Steps: 1. Revoke the exposed key immediately in the Paddle dashboard under Developer Tools > Authentication. Find the affected key and revoke it. Keys revoked due to an exposure cannot be reactivated — the 60-minute grace period does not apply. 2. Create a replacement key with the same permissions and an appropriate expiry date. Give it a descriptive name. 3. Deploy the new key everywhere the old key was used — environment variables, secret managers, CI/CD secrets, and so on. Restart or redeploy services so they pick up the new value. 4. Investigate how the exposure happened (accidental commit, log-sanitization gap, insecure storage) and fix the root cause so it doesn't happen again. 5. Audit logs for any unauthorized activity that may have occurred between the exposure and the revocation. If Paddle automatically revoked the key and you received an api_key.revoked or api_key_exposure.created webhook, skip step 1 and start from step 2. For full details, fetch https://developer.paddle.com/api-reference/about/rotate-api-keys.md or use the paddle-docs MCP server. Ask me how the key was exposed, whether Paddle has already auto-revoked it, and where I need to deploy the replacement, then walk me through the remaining steps.