Set spending limits at every level — organization, team, and individual API key. Reserve + settle pattern, 402 returned cleanly when over budget, never a partial debit. The database refuses to write a negative balance.
API key sk-nemo-...x9y0
24h parity check: sum(transactions) == balance
Atomic mutations under advisory locks
Never a partial debit, never an overage
Hierarchical with explicit override
Per-key, per-team, and per-org spending limits with hard and soft thresholds. Alerts at 50/80/100%, RPM/TPM rate limits stop runaways, and auto-topup keeps production online.
Set maximum spend on individual virtual keys — daily, monthly, or absolute. When a key hits its limit, requests are blocked instantly with a clean 402; no surprise charges, no overruns.
Budget limits cascade from organization to team to virtual key. Child limits never exceed parent limits. The result: a single dashboard view of where every dollar of spend goes.
Every LLM request reserves credits before forwarding. After the response returns, the actual cost is settled and excess released. Failures release the full reservation. The database refuses to write a negative balance.
Cap requests-per-minute and tokens-per-minute at any scope. Prevent runaway loops from burning credits, smooth out bursty workloads, and protect downstream provider rate limits.
Get notified when spending hits configurable thresholds. Multi-channel (email, Slack, Teams, webhook). Per-org thresholds with hysteresis to prevent flapping.
Automatic credit replenishment when balance drops below a threshold. Stay online without manual intervention. Stripe charges your card and credits land in seconds.
Every LLM request goes through reserve → forward → settle (or release on failure). Postgres advisory locks make every mutation atomic; the database refuses to write a negative balance.
Per-request credit lifecycle
Reserve
estimate + hold
Conservative estimate held against the balance.
Forward
Nemo Backend → in-process router
Provider call with auth + guardrails in path.
Settle
x-nemo-response-cost
Deduct actual cost; release the unused reservation.
Release
on error / timeout
Failure path returns the full reservation.
Cost on settle comes from the x-nemo-response-cost header — the provider’s number, never reconstructed by us. Failures always call release_reservation; denied requests cost zero credits.
Money safety
When a request would breach a budget — at any scope — the API returns 402 cleanly before forwarding to the provider. The reservation is released, no LLM call is made, no credits are charged. 429 is reserved for rate-limit overruns and includes a retry-after.
Live budget signals
Inheritance
Budgets cascade from organization to team to individual virtual key. The org sets the hard ceiling; teams divide it into sub-pools; individual keys carve from the team allocation. Real-time aggregation across child keys means the dashboard always reflects current spend.
Spend rollup
Set a minimum balance threshold and a topup amount. When your balance drops below the threshold, Stripe charges your card and the credits land in seconds. Hard cap prevents runaway topup-loops; every topup is audit-logged.
Threshold (e.g. balance < $10) and topup amount (e.g. +$50). Configure once; revoke any time.
Stripe webhook is idempotent on event ID. Failed payment surfaces as a 402 with retry guidance.
Audit-trail entry per topup with actor + source IP. Hard cap prevents runaway topup-loops.
Reserve + settle · 402 cleanly · $0 drift target
Sign up, set a budget, ship. The database refuses to overspend; you don’t have to babysit it.