Overview
You can cap what OpenRouter spends so an AI coding agent or a runaway script can't drain your balance. There are four controls, and they stack: keep Auto Top-Up off so your prepaid credits are a hard ceiling, set a credit limit on each API key, cap output per request with max_tokens, and refuse expensive endpoints with provider.max_price. For the strongest protection, combine a low per-key limit with Auto Top-Up turned off.
The simplest hard cap: prepaid credits with Auto Top-Up off
OpenRouter is pay-as-you-go. If you buy a fixed amount of credits and keep Auto Top-Up off, your card is never charged on its own, so your spend can't run past the credits you've already bought. When the balance hits zero, requests start failing instead of billing you more.
- Go to the Credits page.
- Make sure "Enable auto top up" is turned off.
- Buy only the amount you're comfortable spending.
If you leave Auto Top-Up on, background usage from a key that's still in use can trigger automatic charges with no prompt, so turn it off when you want a firm ceiling. See How does Auto Top-Up work for details.
Set a spending limit on each API key
Every API key can carry its own credit limit, so a single key (or a single tool, teammate, or project) can't spend more than you allow.
- Go to your API keys.
- Create or edit a key and set a credit limit (in USD).
- Optionally set the limit to reset on a schedule — daily, weekly, or monthly — or leave it as a fixed lifetime cap.
Requests are rejected once the key passes its limit, before the call reaches the provider. If you hand out a separate key per tool or per person, give each one the smallest limit it needs. Developers who provision keys programmatically can do all of this through the Management API — see Can I create one API key per user with its own spending limit?
Cap cost per request: max_tokens and max_price
Two request parameters stop any single call from getting expensive:
-
max_tokens— caps how many tokens the model can generate in its reply. Since output tokens are usually the priciest part of a request, a sensiblemax_tokensbounds the cost of each call. This is the standard OpenAI-style field and works on the chat/completions endpoint. -
provider.max_price— sets the most you're willing to pay, in USD per million tokens, for prompt and completion. OpenRouter then only routes the request to endpoints at or under that price; if none qualify, the request fails instead of using a pricier provider.
{
"model": "openai/gpt-4o",
"messages": [...],
"max_tokens": 1024,
"provider": {
"max_price": { "prompt": 5, "completion": 15 }
}
}
See the API reference and provider routing docs for the full field list.
Why a request can still slightly overshoot a limit
Limits are checked before each request goes upstream, but the exact cost of a call is only known once it finishes. So one very large request, or many requests fired at the same time, can push you a little past a limit before usage is recorded. That's why the prepaid-credits-with-Auto-Top-Up-off approach is the firmest ceiling: pair it with a per-key limit and a sane max_tokens, and there's no card on file to charge beyond what you've already bought.
Using an AI coding agent (Cline, OpenCode, Claude Desktop, and similar)
Agentic tools re-send the conversation history, system prompt, and file contents on every step, so token usage compounds fast — a small file can turn into millions of prompt tokens over a long run. To stay safe:
- Point the tool at an API key with a low credit limit so a bad loop stops itself.
- Set
max_tokensin the tool's model settings if it exposes one. - Keep Auto Top-Up off while you're experimenting.
- Watch the run on your Activity page and stop the tool if usage climbs faster than you expect.
Check what you've actually spent
Your Activity page shows real usage and cost per request, and your current balance is on the Credits page. Use these rather than a tool's own estimate — third-party tools don't always account for OpenRouter pricing.