Skip to content

Paddle Vendor Key

Service Name: Paddle

Service Description: Paddle is a complete payments infrastructure for SaaS companies, providing checkout, subscription management, tax compliance, and revenue recovery tools to help businesses grow globally.

Service Address: https://www.paddle.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured in the Paddle Dashboard under API settings

Secret Access Scope: Grants access to Paddle's API for managing subscriptions, payments, customers, and products. Vendor keys provide access to vendor-specific data and operations.

Secret Revokement URL: https://vendors.paddle.com/authentication

Secret Example: vendor_pid_12345abcdef67890ghijklmnopqrst

Suspicious Activity Investigation Instructions:

  • Review Paddle dashboard for unusual transaction activity or unexpected subscription changes
  • Check API logs for unauthorized access attempts or unusual API calls
  • Monitor for unexpected changes to product configurations or pricing
  • Verify webhook configurations haven't been altered
  • Review recent customer communications for any reports of billing issues

Mitigation Instructions:

  • Log in to your Paddle vendor dashboard
  • Navigate to Developer Tools > Authentication
  • Locate the compromised API key and click Revoke
  • Generate a new API key if needed
  • Update the API key in all legitimate applications and services
  • Review and update webhook endpoints to ensure they point to legitimate destinations
  • Enable additional security measures like IP restrictions if available