Quick Answer
An AI-built app with no spend cap is a billing account anyone can drain. One viral day or one runaway loop can turn a $20 month into a five-figure bill. Before you point real traffic at your app, run this short pass: set a hard monthly spend cap on every paid AI service, set it a little below your true ceiling, turn on billing alerts, add a rate limit, keep your keys out of your code and public repo, use separate keys for testing and live, add a daily cap, and do one final check the day you launch. It takes about ten minutes and closes the hole before strangers find it.
If you built your app with Lovable, Bolt, Cursor, or Claude Code and you wired in an AI service without setting a spend cap, here is what can happen. Your app has a quiet weekend. Then one post goes viral, or a bot finds your endpoint and loops on it all night. Monday morning, the invoice is not a celebration. It is a number you did not agree to.
This is not a rare horror story. It is the most common way AI-built apps hurt their makers.
Definition
Spend cap: a hard dollar limit you set on a paid service. When spending reaches the limit, the service pauses instead of charging more. It is the circuit breaker for your bill.
Why "It Worked in Testing" Doesn't Protect You
When you test your app, you are the only user. You make a handful of calls. The cost is pennies. Everything feels safe.
A spend cap is not there for normal days. It is there for the abnormal one. The viral spike. The runaway loop. The stolen key. Those days are exactly when you are not watching, and they are when the bill is made.
The providers know this. Google started enforcing mandatory spend caps on the Gemini API on April 1, 2026, with hard monthly limits at every tier that cannot be turned off (Google AI for Developers). They did not add this for fun. They added it after the disasters.
The Cost of Ignoring It
The numbers are not theoretical.
A three-person startup had its Gemini API key stolen. Its normal spend was about $180 a month. The stolen key ran up $82,314.44 in 48 hours (GenAI / Medium).
Even the providers themselves fail sometimes. An August 2025 Gemini billing bug charged some developers more than $70,000 for tokens they never used (TokenCost).
And caps are not magic. When you hit a Gemini cap, requests can keep processing for about ten minutes before they pause, and you pay for that overage (Google AI for Developers). That is why you set your cap a little below the number you can actually afford, not exactly on it.
The lesson is simple. Do not trust the provider to protect you. Set your own limits, and set them on purpose.
The Pre-Launch Cost Checklist
Here is the ten-minute pass to run before real traffic hits your app. Every item is a switch you flip in a settings screen. None of it requires touching code.
- Set a hard monthly spend cap on every paid AI service. In Gemini this is a Project Spend Cap; in OpenAI it is a project budget limit (OpenAI). Pick the dollar number you could lose in a bad month without panic.
- Set the cap a little below your true ceiling. Five to ten percent under is a safe buffer, because spending can keep going for a few minutes after the limit is hit.
- Turn on billing alerts at 50% and 80% of the cap. You want an email warning before service pauses, not a surprise after the bill lands.
- Add a rate limit. Limit how many requests one user can make per minute, so a bot loop or a viral spike cannot hammer the service thousands of times.
- Keep your API keys out of your front-end and out of your public repo. A key anyone can read is money anyone can spend.
- Use one key for testing and a different one for the live app. If the live key leaks, you can kill it instantly without breaking your tests.
- Set a per-user limit if your tool supports it. That stops one abusive account from eating the whole budget.
- Add a daily cap on top of the monthly one. A runaway day then gets caught in hours, not at month-end.
- Write down where each cap and alert lives. Future-you needs to find and adjust them in two minutes, not two hours.
- Do one final pass on launch day. Confirm caps are on, alerts are on, and no test key is sitting in the live app.
Key Takeaways
- A spend cap is a circuit breaker for the one abnormal day, not the normal ones.
- Set caps a little below your true ceiling, because charges can lag past the limit.
- A leaked key is someone else's spending money — keep keys out of code and public repos.
- Layer the protections: monthly cap, daily cap, rate limit, and alerts together.
Get the Audit Done For You
Running this by hand is fine. Doing it the same way every time, on every project, is hard to keep up.
We packaged the whole pass into a drop-in tool that checks your cost guardrails for you — caps, alerts, rate limits, and exposed keys — and tells you exactly what is missing before you launch.
Get the AI Cost Guardrails audit →
FAQ
Where do I set a spend cap in Gemini or OpenAI? In Gemini it lives in the billing settings as a Project Spend Cap; in OpenAI it is under your project's limits in the dashboard. Both are settings screens, not code.
What spend cap number should I pick? Choose the amount you could lose in a bad month without it hurting, then set the cap about five to ten percent below that, because charges can lag a few minutes past the limit.
Will a spend cap break my app for real users? Only if real demand exceeds your cap. That is why you add billing alerts at 50% and 80% — they warn you in time to raise the cap before service pauses.
What happens if my API key gets stolen? Whoever has it can spend your money until you stop it. Keep keys out of your front-end and public repo, use separate test and live keys, and rotate the live key the moment you suspect a leak.
Is a rate limit different from a spend cap? Yes. A spend cap limits dollars; a rate limit limits how often the service can be called. You want both — the rate limit slows an attack, the spend cap stops the bleeding.
