Maleku System uses Stripe Checkout for all guest-facing payment flows. After creating a booking, the client application requests a Checkout Session from this API, then redirects the user to Stripe’s hosted payment page. On success, Stripe posts a webhook event that confirms the booking. The platform retains a 10% commission on every transaction via Stripe Connect.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
POST /api/v1/stripe/checkout
Creates a Stripe Checkout Session for a pending booking. The session is tied to the authenticated user’s booking and includes the commission split configured on the vendor’s Stripe Connect account. Auth: Bearer token — must be the booking owner Rate limit: 10 requests/minute per IPUUID of a
pending booking to pay for.URL to redirect the user to after successful payment. Must belong to an allowed domain (see warning below).
URL to redirect the user to if they cancel checkout. Same domain restrictions apply.
200
checkout_url immediately after receiving this response. The session expires after 24 hours.
Error responses
| Status | Cause |
|---|---|
404 | Booking not found |
403 | Authenticated user does not own the booking |
400 | Booking is not in pending status, or Stripe API error |
POST /api/v1/stripe/webhook
Receives and processes event notifications from Stripe. This endpoint must be publicly reachable and registered in the Stripe Dashboard as a webhook endpoint. Auth: None — verified viaStripe-Signature header
The raw request body is verified against STRIPE_WEBHOOK_SECRET using stripe.WebhookEvent.construct_from. Requests with a missing or invalid signature header are rejected with 400 Bad Request.
Idempotency
Every processed event ID is stored in theProcessedWebhook table (event_id primary key, event_type, processed_at). Duplicate delivery of the same event is detected and returns {"status": "already_processed"} — preventing replay attacks and double-processing.
Handled events
| Event | Action |
|---|---|
checkout.session.completed | Sets booking status = confirmed, stores stripe_payment_intent_id |
payment_intent.succeeded | Sets booking status = confirmed, sends payment receipt email |
payment_intent.payment_failed | Sets booking status = cancelled |
charge.refunded | Sets booking status = refunded, stripe_payment_status = "refunded" |
{"status": "ignored"} and logged at DEBUG level.
Response 200 — always returned (even on processing errors) to prevent Stripe from retrying:
The platform takes a 10% commission on every booking (
STRIPE_COMMISSION_RATE = 0.10). This is deducted from the vendor payout automatically via Stripe Connect’s application_fee_amount. Individual vendors may have a custom commission_rate stored on their Vendor record; if set, it overrides the platform default.Vendor Connect
Vendors must connect a Stripe account before they can receive payouts.GET /api/v1/stripe/vendor/connect
Returns the current Stripe Connect status for the authenticated vendor. If no account exists, a new one is created and an onboarding URL is returned. Auth: Bearer token — Vendor role required Response200 — VendorConnectResponse
status values:
| Value | Meaning |
|---|---|
connected | Account is fully verified (charges_enabled and payouts_enabled are both true) |
pending_verification | Account exists but Stripe verification is incomplete |
onboarding_required | New account created — vendor must visit onboarding_url |
create_vendor_connect_account, get_connect_account_status) in stripe_service.py handle all Stripe API calls.
Refunds
POST /api/v1/stripe/bookings//refund
Issues a full or partial refund for a paid booking. Only vendors (for their own bookings) and admins may trigger refunds. Auth: Bearer token — Vendor or Admin Rate limit: 5 requests/minute per IPRefund amount in USD. If omitted, a full refund of
booking.total_amount is issued.Optional reason string passed to Stripe (e.g.
"customer_request", "duplicate").200 — RefundResponse
status is automatically updated to refunded and stripe_payment_status is set to "refunded". Partial refunds do not change booking status.
Additional Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
GET | /api/v1/stripe/config | Public | Returns publishable_key and default currency ("usd") for frontend Stripe.js initialization |
GET | /api/v1/stripe/bookings/{id}/payment-status | Bearer | Checks stripe_payment_status and booking.status — used by frontend after redirect from Stripe |