You can now reduce the security risk of static Paddle API keys by rotating them automatically with AWS Secrets Manager. This helps teams keep credentials fresh on a schedule, without manually creating, replacing and revoking keys.
What’s new
Paddle API keys now support automatic rotation through AWS Secrets Manager.
To use automatic rotation:
- Create a new API key in Paddle and turn on the ‘Rotatable’ option
- Store the key as a secret in AWS Secrets Manager
- Enable rotation, choose your rotation schedule, and select Paddle as the rotation integration.
During rotation, Paddle generates a new secret. By default, the old secret remains valid for a short grace period, helping your application continue running while the new secret takes over. Once the grace period ends, the old secret is revoked automatically. You can also choose atomic rotation, where only one key is active at a time.
This works with both live and sandbox API keys.
Why it matters
Static API keys can increase security and compliance risk, especially when they stay active for prolonged periods of time.
Until now, teams using AWS Secrets Manager still had to rotate their Paddle API keys manually at set intervals, or leave them active for longer. Automatic rotation removes that manual burden, reduces the exposure window if a key is leaked or mishandled, and helps teams manage Paddle API credentials in the AWS tooling they already use.
Good to know
This is optional and existing integrations aren’t affected.
Automatic rotation only works for API keys created with ‘Rotatable’ turned on. Existing non-rotatable keys cannot be changed later, so you’ll need to create a new rotatable key if you want to use AWS Secrets Manager rotation.
Need help?
— Colin Barr, Director of InfoSec & IT