Paddle Vendor Key
Service Name: Paddle
Service Description: Paddle is a complete payments infrastructure for SaaS companies, providing checkout, subscription management, tax compliance, and revenue recovery tools to help businesses grow globally.
Service Address: https://www.paddle.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured in the Paddle Dashboard under API settings
Secret Access Scope: Grants access to Paddle's API for managing subscriptions, payments, customers, and products. Vendor keys provide access to vendor-specific data and operations.
Secret Revokement URL: https://vendors.paddle.com/authentication
Secret Example: vendor_pid_12345abcdef67890ghijklmnopqrst
Suspicious Activity Investigation Instructions:
- Review Paddle dashboard for unusual transaction activity or unexpected subscription changes
- Check API logs for unauthorized access attempts or unusual API calls
- Monitor for unexpected changes to product configurations or pricing
- Verify webhook configurations haven't been altered
- Review recent customer communications for any reports of billing issues
Mitigation Instructions:
- Log in to your Paddle vendor dashboard
- Navigate to Developer Tools > Authentication
- Locate the compromised API key and click Revoke
- Generate a new API key if needed
- Update the API key in all legitimate applications and services
- Review and update webhook endpoints to ensure they point to legitimate destinations
- Enable additional security measures like IP restrictions if available