Sign in Sign up free
Browse businesses Browse shifters How it works AI on ShiftSee NEW Pricing For businesses For shifters Help About
Sign in Sign up free

← All posts

The day we tightened every bolt

We spent today going through ShiftSee end to end with a security and correctness audit, then shipped the fixes. Stricter ownership checks across the whole API, double-charge protection on payments, photo uploads fixed everywhere, a working earnings page, honest error messages, and message timestamps that respect your timezone.

  • security
  • payments
  • reliability

There are two kinds of releases. The kind where we ship something shiny and new, and the kind where we make everything you already use more trustworthy. Today is the second kind, and honestly, it might be the more important one.

ShiftSee moves real money between real businesses and real people. That deserves paranoia. So today we audited the platform end to end, the API, the website, and the mobile apps, and shipped fixes the same day.

Money first

Every request that touches a payment, a payout, a saved card, an invoice, or a shift now proves the signed-in account owns the thing it is touching. Linked accounts and business teammates are recognized automatically, so your team keeps working exactly as before. What changes is what is impossible: nobody else's tap can ever reach your wallet.

We also made paying for a shift atomic. Double taps, retries on a bad connection, two managers paying at the same moment: one shift, one charge, every time. And when you delete a saved payment method, it is now fully detached at our payment processor too, not just hidden from your list.

Honesty in the small things

A platform earns trust in unglamorous places. A few we fixed today:

Photo uploads were quietly broken. On the website and in the current iOS and Android apps, saving a profile photo or business logo looked like it worked and did nothing. Fixed everywhere, and the mobile apps did not even need an update; we repaired it on our side.

The earnings page now earns its name. Shifters get this-month gross, a month-end projection, typical hourly rate, goal tracking, a 12-month trend, a per-business breakdown, mileage, and a CSV export for tax season. And setting a monthly goal now, in fact, sets the goal.

Errors tell the truth. In several places a failed save showed a cheerful green success message. If something goes wrong now, you see what went wrong and can try again.

Message times are your times. Conversation timestamps were rendering in the wrong timezone for most of the world. Sorted.

Sign-in, hardened

Login codes are now single use and lock out after repeated wrong guesses. Every sign-in endpoint is rate limited. And a wrong password gets the same answer whether or not the email exists, so the login page no longer confirms who has an account.

None of this changes how you use ShiftSee tomorrow. All of it changes how safe ShiftSee is while you do. That trade, invisible but load-bearing, is exactly the kind we like.

The full list is on the release notes page.

See the structured release notes for Jun 10 →