For AI agents and LLMs: a structured documentation index is available at /llms.txt. Every page has a Markdown sibling — append .md to any URL.

Skip to content
Docs

Manage client-side tokens

Create and revoke client-side tokens used to initialize Paddle.js in your frontend.

AI summary

Create and manage client-side tokens to authenticate Paddle.js in your frontend code. This is a requirement when working with pricing pages, checkouts, and Retain workflows.

  • • Client-side tokens are safe to expose in frontend code — unlike API keys, they're limited to opening checkouts, previewing prices, and previewing transactions
  • • Sandbox tokens (prefixed test_) and live tokens (prefixed live_) are separate and only work in their respective environments — swap them when moving to production
  • • Create and revoke tokens in Paddle > Developer Tools > Authentication, via the Paddle API, or using the Paddle MCP server

Client-side tokens let you interact with the Paddle platform in frontend code, like webpages or mobile apps.

  • They're intended only for client-side use.
  • They're limited to opening checkouts, previewing prices, and previewing transactions.
  • They're safe to publish and expose in your code.

They're required for working with Paddle.js.

Looking to integrate Paddle in your backend? Use the Paddle API or SDKs with API keys instead.

Use an AI agent

How it works

When you initialize Paddle.js, you must include a client-side token. Paddle uses your client-side token to identify your account and verify that you have permission to perform the requested action.

HTML
<script src="https://cdn.paddle.com/paddle/v2/paddle.js"></script>
<script type="text/javascript">
Paddle.Initialize({
token: "live_7d279f61a3499fed520f7cd8c08", // replace with a client-side token
});
</script>
TypeScript
import { initializePaddle } from "@paddle/paddle-js";
const paddle = await initializePaddle({
token: "live_7d279f61a3499fed520f7cd8c08", // replace with a client-side token
});

Never use API keys with Paddle.js. API keys should be kept secret and never used in your frontend. Revoke keys immediately if they've been used in your frontend.

Sandbox vs live workspaces

Paddle has separate sandbox and live workspaces, each with their own set of client-side tokens. This separation helps you safely test your integration without affecting real customer data or transactions.

Sandbox client-side tokens

  • Use these tokens as you build and test your integration.
  • They only work in the sandbox environment where no real money is involved.
  • Sandbox client-side tokens contain test_.
  • Create a sandbox client-side token in the sandbox dashboard.

Live client-side tokens

  • Use these tokens only when you're ready to process real transactions in your production app.
  • They only work in the live environment where real money is involved.
  • Live client-side tokens contain live_.
  • Create a live client-side token in the live dashboard.

Format

Client-side tokens always follow a specific format:

  • Always start with test_ or live_ to show the environment they're used for.
  • Contains a random string of 27 characters in length after the environment prefix.
Regex pattern for client-side tokens
^(test|live)_[a-zA-Z0-9]{27}$

Create a client-side token

  1. Go to Paddle > Developer Tools > Authentication.
  2. Click the Client-side tokens tab.
  3. Click New client-side token .
  4. Enter a name and description for the client-side token.
  5. Click Save when you're done.
  6. Click the button next to the client-side token you want to use, then choose Copy .

Illustration of the new token form in Paddle. It shows the name and description fields. There's a button that says Save.

You can use the /client-tokens endpoint to create a client-side token.

  • Build a request that includes the name of your token to easily identify it.
  • You can optionally provide a description with more information on the token's purpose or usage.

If successful, Paddle responds with a copy of the new client-side token entity. The returned token field is the client-side token you can use for authentication when intializing Paddle.js.

POST /client-tokens
Request
{
"name": "Pricing page integration",
"description": "Used to display prices and open checkout within our pricing page on our marketing domain."
}
Response
{
"data": {
"id": "ctkn_01ghbkd0frb9k95cnhwd1bxpvk",
"token": "live_7d279f61a3499fed520f7cd8c08",
"name": "Pricing page integration",
"description": "Used to display prices and open checkout on our pricing page on our marketing domain.",
"status": "active",
"created_at": "2025-06-26T14:36:14.695Z",
"updated_at": "2025-06-26T14:36:14.695Z",
"revoked_at": null
},
"meta": {
"request_id": "1681f87f-9c36-4557-a1da-bbb622afa0cc"
}
}

Revoke a client-side token

Client-side tokens are safe to expose publicly in your frontend code. However, you may still want to revoke a token so it can no longer be used to authenticate Paddle.js.

Revoking a token is permanent. Check that your client-side token isn't used in production before revoking it to prevent disruption to customers.

  1. Go to Paddle > Developer Tools > Authentication.
  2. Click the Client-side tokens tab.
  3. Click the button next to the token you want to revoke, then choose Revoke .
  4. Confirm you want to revoke the client-side token by filling in the confirmation box.

Illustration of the authentication screen in Paddle. It shows the client-side tokens tab. There's a list of client-side tokens with the three dots icon. The menu for the first token is open, showing options to revoke.

You can revoke a client-side token using the /client-tokens/{client_token_id} endpoint.

Build a request that includes a status field with a value of revoked.

If successful, Paddle responds with a copy of the revoked client-side token entity. It can no longer be used to authenticate.

PATCH /client-tokens/{client_token_id}
Request
{
"status": "revoked"
}
Response
{
"data": {
"id": "ctkn_01ghbkd0frb9k95cnhwd1bxpvk",
"token": "live_7d279f61a3499fed520f7cd8c08",
"name": "Pricing page integration",
"description": "Used to display prices and open checkout within our pricing page on our marketing domain.",
"status": "revoked",
"created_at": "2025-06-26T14:36:14.695Z",
"updated_at": "2025-07-03T15:14:12.435Z",
"revoked_at": "2025-07-03T15:14:12.435Z"
},
"meta": {
"request_id": "1681f87f-9c36-4557-a1da-bbb622afa0cc"
}
}

Events

client_token.created Occurs when a client-side token is created.
client_token.updated Occurs when a client-side token is updated.
client_token.revoked Occurs when a client-side token is revoked.

Was this page helpful?