0% platform fee — first 1,000,000 customersClaim 0% fee
Teams

Built for teams, not solo devs.

Roles, permissions, org isolation, and unlimited members on every plan. Add your whole team — no per-seat pricing, no feature gating, no cross-tenant leakage.

acme-inc · team roster

Team membership

sarah@acme.coOwner
james@acme.coAdmin
alex@acme.coMember
casey@acme.coViewer
morgan@acme.copending
Members total14 / unlimited
RLS-scopedsingle-orgaudit-logged
Roles
4

Owner, Admin, Member, Viewer

Org membership
1 user / 1 org

Database-enforced unique index

Invitation expiry
Configurable

Default 7 days, single-use tokens

Per-team budgets
Configurable

RPM/TPM + monthly spend ceilings

Permission matrix

What every role can actually do

This matrix is the contract enforced in middleware on every request — hiding a button is not security. Browser console hacks, replayed requests, and rogue tokens all hit the same wall.

Permissions by role

CapabilityOwnerAdminMemberViewer
Read keys, members, usage
Included
Included
Included
Included
Create + use virtual keyssk-nemo-... for LLM traffic
Included
Included
Included
Not available
Update org settingsBranding, data policy, callbacks
Included
Included
Not available
Not available
Invite + remove members
Included
Included
Not available
Not available
Configure guardrails + prompts
Included
Included
Not available
Not available
View audit trail
Included
Included
Not available
Not available
Export usage CSV
Included
Included
Not available
Not available
Manage billing + planStripe portal, plan change, cancel
Included
Not available
Not available
Not available
Delete the organization
Included
Not available
Not available
Not available
IncludedNot availableNot applicablenSourced footnote below
Full teams reference — roles, invites, customer tracking, budgets
Four roles, precise scope
Owner manages billing and the org itself; Admin handles all CRUD without billing; Member uses keys and reads everything; Viewer is read-only. Role checks live in middleware — never the client. A last-owner guard prevents accidental org lock-out, and every role change is audit-logged with actor + IP.
Email invitations with expiry
Single-use, time-bounded tokens (default 7 days) with a one-click accept flow. Pending invitations are visible to admins for revocation; the accept flow rejects users who already belong to another org. Bulk invite via CSV on Tier 2 + Enterprise.
Single-org-per-user, by design
Enforced by a unique database index, not a code-level check. Signup, invite, and accept-invite all reject duplicate membership. No org-switcher UI — one identity, one tenant, one bill; leave-and-rejoin is the only path to change orgs.
Customer (end-user) tracking
Pass a customer_id via the standard OpenAI metadata field and see per-end-user spend, tokens, and request volume. Per-customer budgets enforce 402 at the gateway — bill your customers however your pricing model wants.
Unlimited members, every tier
No per-seat pricing on any plan. Tier difference is platform-fee + RPM/TPM, never features — roles, audit, and invitations are identical on Tier 1 through Enterprise.
Per-team budgets and quotas
RPM, TPM, and monthly spend ceilings per team with soft + hard caps and alert thresholds. Enforcement happens at reserve-credit time — breach the limit and the gateway returns 402 cleanly, never a partial debit.
Tenant isolation

One tenant boundary, enforced at the database

Every record is scoped to your organization, and Row-Level Security enforces that boundary at the database itself — a query against the wrong tenant returns zero rows. No mapping table to drift, no sync layer to compromise.

RLS on everything

Cross-tenant queries return zero rows — by the database, not the app

Row-Level Security policies are scoped by organization_id on every table. A bug in application code cannot leak data because the database refuses to return it in the first place.

  • RLS enabled on every Nemo tenant table (Owner, Admin, Member, Viewer policies)
  • Service role bypasses RLS only inside server-side API routes
  • No `USING (true)` policies anywhere in the schema
  • Org switch invalidates every TanStack Query cache key
psql · cross-tenant probe

RLS in action

Org A reads Org A keys14 rows
Org A reads Org B keys0 rows
Service role readall rows
USING (true) policies0
Tables w/ RLS enabled100%
Cross-tenant denials (24h)0
Postgres RLSorganization_idsame-UUID
FAQ

Common team questions

Invite your team

Bring your whole engineering org — no per-seat fee

Sign up, create the org, invite by email. Roles, RLS, and audit logging are on by default. The dashboard is identical at every tier.