Programmatically create and manage client-side tokens

What's new?

We've introduced new API operations and webhooks to create, fetch, list, and revoke client-side tokens, plus new webhook events to notify you when client-side tokens are created or revoked.

How it works

Paddle.js is our client-side library used to integrate Paddle on the frontend. Client-side tokens are the required method of authentication for Paddle.js. You provide client-side tokens when initializing Paddle.js.

Previously, you had to create and manage your client-side tokens through the dashboard. Now, you can create, fetch, list, and revoke client-side tokens through the Paddle API, and get notified with events when client-side tokens are created or revoked through the dashboard or the API.

Third-party integrations may also use these client-side token operations or webhooks to streamline your implementation of Paddle, support web payments through Paddle, or enable powerful new functionalities — like the RevenueCat integration. You can give API keys with Client-side token (Read) (client_token.read) and Client-side token (Write) (client_token.write) permissions to third-party integrations to enable these features.

Next steps

This change is available in version 1 of the Paddle API.

It's a non-breaking change, meaning it doesn't impact existing integrations. Permissions for existing API keys haven't been updated to include client_token.read or client_token.write.

Read more about client-side tokens and Paddle.js to explore their capabilities, and more about API keys and permissions to understand how to grant access to third-party apps safely.