> For the complete documentation index, see [llms.txt](https://developer.paddle.com/llms.txt).

# Strengthen your integration security with enhanced API keys

API keys now have a new standardized format, improved security features, and better management options including permissions, expiry dates, and usage tracking.

---

## What's new?

We've upgraded API keys with enhanced security features and management capabilities that make your integration more secure.

Previously, API keys were simple 50-character strings with no built-in information about their environment or purpose. Keys had unlimited lifespans and full access to all data on your account. With this release, API keys:

* Follow a standardized format that identifies their environment with `live_` or `sdbx_`.
* Are only visible when created.
* Can be assigned specific [permissions](https://developer.paddle.com/api-reference/about/permissions.md) to control access.
* Can [expire](https://developer.paddle.com/api-reference/about/api-keys#expiration.md) to enforce regular [rotation](https://developer.paddle.com/api-reference/about/rotate-api-keys.md).
* Show when they were [last used](https://developer.paddle.com/api-reference/about/api-keys#check-api-keys.md), helping you identify inactive keys and suspicious activity.
* Can be easily managed through a redesigned dashboard page.

## How it works

API keys are now identified by a [new format](https://developer.paddle.com/api-reference/about/api-keys#format.md):

```text {% title="Example of standard format API keys" %}
pdl_live_apikey_01gtgztp8f4kek3yd4g1wrksa3_q6TGTJyvoIz7LDtXT65bX7_AQO
pdl_sdbx_apikey_01gtgztp8f4kek3yd4g1wrksa3_q6TGTJyvoIz7LDtXT65bX7_AQO
```

When [creating](https://developer.paddle.com/api-reference/about/api-keys#create-api-key.md) or [editing](https://developer.paddle.com/api-reference/about/api-keys#edit-api-key.md) an API key, select granular [permissions](https://developer.paddle.com/api-reference/about/permissions.md) to control which entities and operations the API key can access.

Setting an [expiration date](https://developer.paddle.com/api-reference/about/api-keys#expiration.md) for the API key enforces regular rotation. This defaults to 90 days. The new [`api_key.expiring`](https://developer.paddle.com/webhooks/api-keys/api-key-expiring.md) and [`api_key.expired`](https://developer.paddle.com/webhooks/api-keys/api-key-expired.md) events enable subscription to notifications for when API keys are expiring and expired, allowing you to build workflows to [rotate keys](https://developer.paddle.com/api-reference/about/rotate-api-keys.md) and minimize disruption before they expire.

You can create multiple API keys with different permissions and expiry dates to give you more control over who has access to your data and for how long.

API keys can only be viewed once upon creation and must immediately be [stored securely](https://developer.paddle.com/api-reference/about/api-keys#best-practices.md).

After using an API key, the [last used](https://developer.paddle.com/api-reference/about/api-keys#check-api-keys.md) date appears as **Last Used** in the list of API keys at **Paddle > Developer Tools > Authentication**.

## Next steps

This change is live in v1 of the Paddle API. Existing API keys created before May 6, 2025 are now considered legacy API keys.

Legacy API keys continue to work without disruption, with no set timeline for deprecation.

We still recommend you migrate to the new API keys as soon as possible. Check the [permissions reference](https://developer.paddle.com/api-reference/about/permissions#reference.md) to understand which permissions are needed for the requests you make, and assign those permissions to the API key when [creating it](https://developer.paddle.com/api-reference/about/api-keys#create-api-key.md).
## Summary of changes

| Name | Type | Change | Entity | Description |
| --- | --- | --- | --- | --- |
| `api_key.created` | Webhook | added | API keys |  |
| `api_key.updated` | Webhook | added | API keys |  |
| `api_key.expiring` | Webhook | added | API keys |  |
| `api_key.expired` | Webhook | added | API keys |  |
| `api_key.revoked` | Webhook | added | API keys |  |