This is nice, cool HTML skills so far.

But tell me, since you have access to the API credentials of your 'free customers', what would stop a hacker from misusing the system to make unauthorized payments using those credentials?

Is that completely off the table with your little website?