Spend control, enforced at the database.
Set spending limits at every level — organization, team, and individual API key. Reserve + settle pattern, 402 returned cleanly when over budget, never a partial debit. The database refuses to write a negative balance.
API key sk-nemo-...x9y0
- Ledger drift target
- $0.00
- Spend pattern
- Reserve + settle
- Over-budget response
- 402
- Cap scopes
- Org · Team · Key
24h parity check: total spend == balance
Atomic credit mutations
Never a partial debit, never an overage
Hierarchical with explicit override
Org sets the ceiling. Teams carve pools. Keys carve from teams.
Child limits never exceed parent limits, and the dashboard rolls spend up in real time — one consistent hierarchy at every level, no mapping table.
key prod-blog at 95 / 150 → next request reserves, settles, rolls up to Marketing and the org — atomically.
The credit pattern, in four atomic steps
Every LLM request goes through reserve → forward → settle (or release on failure), so a failed request costs nothing. Every mutation is atomic; cost on settle comes from the x-nemo-request-cost header — the provider’s number, never reconstructed.
Per-request credit lifecycle
Reserve
estimate + hold
Conservative estimate held against the balance.
Forward
Nemo Router
Provider call with auth + guardrails in path.
Settle
x-nemo-request-cost
Deduct actual cost; release the unused reservation.
Release
on error / timeout
Failure path returns the full reservation.
402 cleanly, never an overage
Money safety
No partial debits, no leftover reservations
When a request would breach a budget — at any scope — the API returns 402 cleanly before forwarding to the provider. The reservation is released, no LLM call is made, no credits are charged. 429 is reserved for rate-limit overruns and includes a retry-after.
- 402 = budget exceeded; reservation released, no provider call
- 429 = RPM/TPM exceeded; retry-after header included
- Held credits released on every failure path
- Daily ledger parity check: total spend == balance
Live budget signals
Full budget reference — caps, rate limits, alerts, auto-topup
- Per-key budget controls
- Max-spend (absolute, $/day, $/month) per virtual key. Independent prod / staging / experiment keys, one-click revocation, and reservations released the moment a request errors.
- Hierarchical org budgets
- Org > Team > Key inheritance with explicit override — child limits never exceed parent limits. Real-time aggregation across child keys; per-team spend visible separately for cost allocation.
- RPM + TPM rate limits
- Cap requests-per-minute and tokens-per-minute at any scope. 429 returned when limits hit (reservations not consumed); per-tier hard ceilings prevent provider rate-limit spillover.
- Budget alerts
- 50% / 80% / 100% thresholds, configurable per scope. Multi-channel delivery — email, Slack, Teams, webhook — with hysteresis to prevent flapping on near-threshold spend.
- Auto-topup
- Set a minimum-balance threshold and topup amount; Stripe charges the card and credits land in seconds. Webhook idempotent on event ID, hard cap prevents runaway topup-loops, every topup audit-logged with actor + IP.
- Money-safety invariants
- reserve → forward → settle, with every credit mutation atomic. Every failure path releases the hold automatically. The database refuses to write a negative balance. Daily parity check: total spend == balance.
Common budget questions
Reserve + settle · 402 cleanly · $0 drift target
Cost control as an architectural choice — not a feature
Sign up, set a budget, ship. The database refuses to overspend; you don’t have to babysit it.