Roles, permissions, org isolation, and unlimited members on every plan. Add your whole team — no per-seat pricing, no feature gating, no cross-tenant leakage.
Team membership
Owner, Admin, Member, Viewer
Database-enforced unique index
Default 7 days, single-use tokens
RPM/TPM + monthly spend ceilings
Four roles with precise permissions, email invitations with expiry, per-customer spend tracking, and full multi-tenant isolation — enforced at the database level, not in application code.
Owner manages billing and the org itself. Admin handles all CRUD without billing. Member uses keys and reads everything. Viewer is read-only. Roles are enforced on every API call, not the UI.
Invite teammates by email with a one-click accept flow. Tokens are single-use, time-bounded, and rejected if the invitee already belongs to another org.
Every user belongs to exactly one organization, enforced by a unique database index on the org-membership table. No multi-org switching, no ambient org selection, no cross-tenant context bleed.
Pass a `customer_id` on each request and see per-end-user spend, token usage, and request volume in the dashboard. Bill your customers however your pricing model wants.
No per-seat pricing on any plan. Add your whole engineering org — Tier 1, Tier 2, Tier 3, or Enterprise — and pay only for the LLM usage they generate.
Configure RPM, TPM, and monthly spend ceilings per team. Breach the limit and the gateway returns 402 cleanly — no partial debit, no surprise bill.
The matrix below is the contract enforced in middleware on every request. Owner is the only role that can touch billing or delete the org; Viewer can read but never write.
Role-based access
Hiding a button is not security. Every Nemo API route validates role + organization_id before any read or write. Browser console hacks, replayed requests, and rogue tokens all hit the same wall.
Permission outcome
Permissions by role
| Capability | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Read keys, members, usage | Included | Included | Included | Included |
| Create + use virtual keyssk-nemo-... for LLM traffic | Included | Included | Included | Not available |
| Update org settingsBranding, data policy, callbacks | Included | Included | Not available | Not available |
| Invite + remove members | Included | Included | Not available | Not available |
| Configure guardrails + prompts | Included | Included | Not available | Not available |
| View audit trail | Included | Included | Not available | Not available |
| Export usage CSV | Included | Included | Not available | Not available |
| Manage billing + planStripe portal, plan change, cancel | Included | Not available | Not available | Not available |
| Delete the organization | Included | Not available | Not available | Not available |
organization_id is the same value in your Bearer key, in the Frontend session, in Nemo Backend, in the in-process Nemo Intelligent Proxy Router, and in every nemo.* table. There is no mapping table to drift, no sync layer to compromise.
RLS on everything
Postgres Row-Level Security policies are scoped by organization_id on every nemo.* table. A bug in application code cannot leak data because the database refuses to return it in the first place.
RLS in action
Single-org-per-user enforced at the database is the detail that closed our security review. We could not engineer a way to leak across tenants because the schema refused to return rows.
Director of Engineering
Series-B health-tech, ~80 engineers
Invite your team
Sign up, create the org, invite by email. Roles, RLS, and audit logging are on by default. The dashboard is identical at every tier.