Built for teams, not solo devs.
Roles, permissions, org isolation, and unlimited members on every plan. Add your whole team — no per-seat pricing, no feature gating, no cross-tenant leakage.
Team membership
- Roles
- 4
- Org membership
- 1 user / 1 org
- Invitation expiry
- Configurable
- Per-team budgets
- Configurable
Owner, Admin, Member, Viewer
Database-enforced unique index
Default 7 days, single-use tokens
RPM/TPM + monthly spend ceilings
What every role can actually do
This matrix is the contract enforced in middleware on every request — hiding a button is not security. Browser console hacks, replayed requests, and rogue tokens all hit the same wall.
Permissions by role
| Capability | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Read keys, members, usage | Included | Included | Included | Included |
| Create + use virtual keyssk-nemo-... for LLM traffic | Included | Included | Included | Not available |
| Update org settingsBranding, data policy, callbacks | Included | Included | Not available | Not available |
| Invite + remove members | Included | Included | Not available | Not available |
| Configure guardrails + prompts | Included | Included | Not available | Not available |
| View audit trail | Included | Included | Not available | Not available |
| Export usage CSV | Included | Included | Not available | Not available |
| Manage billing + planStripe portal, plan change, cancel | Included | Not available | Not available | Not available |
| Delete the organization | Included | Not available | Not available | Not available |
Full teams reference — roles, invites, customer tracking, budgets
- Four roles, precise scope
- Owner manages billing and the org itself; Admin handles all CRUD without billing; Member uses keys and reads everything; Viewer is read-only. Role checks live in middleware — never the client. A last-owner guard prevents accidental org lock-out, and every role change is audit-logged with actor + IP.
- Email invitations with expiry
- Single-use, time-bounded tokens (default 7 days) with a one-click accept flow. Pending invitations are visible to admins for revocation; the accept flow rejects users who already belong to another org. Bulk invite via CSV on Tier 2 + Enterprise.
- Single-org-per-user, by design
- Enforced by a unique database index, not a code-level check. Signup, invite, and accept-invite all reject duplicate membership. No org-switcher UI — one identity, one tenant, one bill; leave-and-rejoin is the only path to change orgs.
- Customer (end-user) tracking
- Pass a customer_id via the standard OpenAI metadata field and see per-end-user spend, tokens, and request volume. Per-customer budgets enforce 402 at the gateway — bill your customers however your pricing model wants.
- Unlimited members, every tier
- No per-seat pricing on any plan. Tier difference is platform-fee + RPM/TPM, never features — roles, audit, and invitations are identical on Tier 1 through Enterprise.
- Per-team budgets and quotas
- RPM, TPM, and monthly spend ceilings per team with soft + hard caps and alert thresholds. Enforcement happens at reserve-credit time — breach the limit and the gateway returns 402 cleanly, never a partial debit.
One tenant boundary, enforced at the database
Every record is scoped to your organization, and Row-Level Security enforces that boundary at the database itself — a query against the wrong tenant returns zero rows. No mapping table to drift, no sync layer to compromise.
RLS on everything
Cross-tenant queries return zero rows — by the database, not the app
Row-Level Security policies are scoped by organization_id on every table. A bug in application code cannot leak data because the database refuses to return it in the first place.
- RLS enabled on every Nemo tenant table (Owner, Admin, Member, Viewer policies)
- Service role bypasses RLS only inside server-side API routes
- No `USING (true)` policies anywhere in the schema
- Org switch invalidates every TanStack Query cache key
RLS in action
Common team questions
Invite your team
Bring your whole engineering org — no per-seat fee
Sign up, create the org, invite by email. Roles, RLS, and audit logging are on by default. The dashboard is identical at every tier.