crxpaydocs
Log in
GuidesReferenceChangelog

Security and Trust

How crxpay keeps your data safe and why you can trust the platform with your payments.

Your money, your Stripe

crxpay never holds your money. We use Stripe Express Connect — your revenue goes directly into your Stripe account. crxpay takes a platform fee at the point of sale (handled by Stripe), and the rest goes straight to you.

You get a Stripe Express Dashboard where you can:

  • See every transaction and payout
  • Track when money hits your bank account
  • View and respond to disputes
  • Download financial reports

This is fundamentally different from platforms that pool your money and pay you later. With crxpay, Stripe manages the funds flow and compliance — not us.

Infrastructure

Cloudflare Workers

The crxpay API runs on Cloudflare Workers — a globally distributed edge compute platform. Your API requests are processed at the nearest Cloudflare data center, resulting in sub-50ms response times worldwide.

  • 99.99% uptime SLA from Cloudflare
  • Global edge network — 300+ data centers
  • DDoS protection included
  • No cold starts — Workers are always warm

Cloudflare D1

Customer and subscription data is stored in Cloudflare D1 (distributed SQLite). Data is replicated across multiple regions for durability and low-latency reads.

Encryption

  • All API communication is over HTTPS/TLS 1.3
  • Session tokens are signed JWTs with 7-day expiry
  • Subscription cache in the Chrome extension is HMAC-SHA256 signed — tamper-proof
  • Stripe API keys and secrets are stored as encrypted environment variables on Cloudflare Workers, never in source code
  • Passwords are hashed with PBKDF2 (100,000 iterations) using the Web Crypto API

SDK Security

Signed subscription cache

The SDK caches subscription state locally in chrome.storage.local. This cache is signed with HMAC-SHA256 using a key derived from the extension's runtime ID and API key. If anyone modifies the cached data, the signature check fails and the cache is discarded.

Signing key = HMAC-SHA256(chrome.runtime.id + ":" + apiKey)
Cache entry = { data: JSON, signature: HMAC(data), timestamp }
On read: recompute HMAC → compare → reject if mismatch

This means:

  • Users can't fake a subscription by editing chrome.storage.local
  • The cache can't be transplanted between extensions (different runtime IDs)
  • Stale data is detected via timestamp (4-hour max age)

No secrets in extension code

The SDK uses a public API key (crxpay_pub_...) that is safe to include in your extension's source code. It can only be used to read subscription state for that specific extension — it can't modify data, create charges, or access other extensions.

All sensitive operations (Stripe API calls, webhook processing, customer management) happen on crxpay's servers, never in the extension.

Rate limiting

All API endpoints are rate-limited to prevent abuse:

EndpointLimit
Subscription check60 requests/min per IP
Identify10 requests/min per IP
Checkout creation5 requests/min per IP
Magic link email3 requests/min per email
Dashboard API120 requests/min per org

CAPTCHA protection

Dashboard signup and login forms are protected by Cloudflare Turnstile — a privacy-preserving CAPTCHA alternative that blocks bots without annoying puzzle challenges.

Stripe Security

crxpay's payment processing inherits all of Stripe's security features:

  • PCI DSS Level 1 compliance — the highest level of payment security certification
  • Stripe Radar — ML-powered fraud detection trained on billions of transactions across the Stripe network
  • 3D Secure authentication for high-risk transactions
  • Strong Customer Authentication (SCA) compliance for European payments
  • Tokenized payment data — crxpay never sees or stores credit card numbers

Data handling

What we store

  • Developer data: email, organization name, extension configuration, API keys
  • Customer data: email, anonymous install ID, subscription status, entitlements, customer attributes set via SDK
  • Analytics: subscription lifecycle events (created, cancelled, renewed, failed), revenue amounts

What we don't store

  • Credit card numbers (Stripe handles this)
  • Passwords in plaintext (PBKDF2 hashed)
  • Personal identity documents (Stripe handles KYC for Express Connect)

Data location

All data is stored on Cloudflare's infrastructure. Cloudflare D1 databases are replicated globally with the primary in the region closest to the platform (currently APAC).

Open source SDK

The crxpay SDK (@crxpay/sdk) source code is available on GitHub. You can audit exactly what the SDK does:

  • What data it sends to the API
  • How the signed cache works
  • How the XState subscription machine manages state transitions
  • What permissions it requires and why

Responsible disclosure

Was this page helpful?

Your feedback shapes what we document next.

Edit on GitHub