Security by design

Permissions and payment integrity belong on the server.

KickBooker derives access from current workspace membership, calculates financial terms in trusted server code and treats verified Stripe webhooks as the source of payment truth.

KickBooker secure workspace dashboard for scheduling and payments

Workspace isolation

Tenant-owned records carry workspace identity and access checks are enforced beyond the browser interface.

Server-owned finance

The client selects an operation; the server derives prices, recipients, wallet identity and credit values.

Auditable movements

Credit and billing flows use immutable references, idempotency controls and append-only ledger records.

Access

Capabilities follow the signed-in member and current workspace.

The API checks active portal, workspace and resource membership before returning or mutating protected records.

  • Role and resource-scoped authorization
  • Server-issued capabilities used by the UI
  • Revoked access denied at the API and database layers

Payments

A browser return never grants money or credit by itself.

Checkout callbacks identify an order while signed Stripe webhook events drive the authoritative paid, refund and dispute lifecycle.

  • Verified webhook signatures
  • Idempotent event and payment processing
  • Transactional wallet spending and booking creation

FAQ

Frequently asked questions

Can another workspace see our private activities or participant data?

Protected workspace and participant records are isolated by membership. Only activity information deliberately published on a public or shared-link page is visible outside the workspace.

What happens when a member's access is removed?

Their access to that workspace stops. Removing workspace membership does not delete the person's separate portal account.

Does KickBooker store customers' card details?

Card details are entered through Stripe Checkout. KickBooker stores the payment references and status needed to match the payment, not raw card numbers.

How does KickBooker know that a payment succeeded?

The payment is confirmed from a verified Stripe notification. A browser redirect alone cannot mark an order as paid.

Content reviewed 2026-07-14.

Talk to KickBooker

Have a security or payment-integrity question?

Send us the workflow you need to validate and we will explain how KickBooker handles it.

Ask a security question