Cap AI spend for a Slack/support bot in 10 minutes
If your bot or app's AI spend is growing, Talon gives you a simple promise:
You can cap AI spend before it runs away, and prove every allow/deny decision with signed evidence.
This guide shows the fastest path to that outcome for a support-bot agent.
What this guide covers
- Hard daily/monthly spend caps for one agent (
support-slack-bot) - Deny before any upstream provider call when the next request would exceed cap
- Signed evidence for both allowed and denied decisions
- Dashboard + CLI visibility for today/month, by agent/model/provider
1. Define the agent with hard EUR caps
The bot is one AI use case, so it gets one agent.talon.yaml — its Talon traffic identity and its one policy override over the organization baseline:
agent:
name: support-slack-bot
tenant_id: default # optional; omitted = "default"
key:
secret_name: support-slack-bot-talon-key # vault reference — never a raw key
policies:
cost_limits:
daily: 10.00 # replaces the baseline daily cap
monthly: 200.00 # replaces the baseline monthly cap
models:
allowed: ["gpt-4o-mini"] # gateway model allowlist for this agent
data_classification:
input_scan: true # scan-only → PII action "warn" for this agent
Mint the agent key the bot will present to the gateway (the vault stores it encrypted; keep the value in your secret manager):
AGENT_KEY="$(openssl rand -hex 24)"
talon secrets set support-slack-bot-talon-key "$AGENT_KEY"
The gateway side of talon.config.yaml holds only providers and the organization baseline (see examples/gateway/talon.config.gateway.yaml):
gateway:
enabled: true
listen_prefix: "/v1/proxy"
mode: "enforce"
providers:
openai:
enabled: true
secret_name: "openai-api-key"
base_url: "https://api.openai.com"
organization_policy:
defaults:
pii_action: "warn"
daily_cost: 100.00 # organization baseline; the agent override above wins for this agent
monthly_cost: 2000.00
constraints:
max_daily_cost: 500.00 # optional org ceiling no agent override can exceed (#287)
For a demo, temporarily lower the agent's cost_limits.daily (for example 0.01) so you can trigger a denial quickly.
Effective caps = one calculation path. The caps enforcement applies are resolved by the same function that feeds talon costs and the dashboard budget endpoint: organization baseline (organization_policy.defaults.daily_cost / monthly_cost) → the agent's one override (an agent cap replaces the baseline when > 0). Org budget ceilings (organization_policy.constraints.max_daily_cost / max_monthly_cost, #287) are enforced in addition to the resolved per-agent cap — an agent override can never raise them, and a ceiling denial names the organization in the deny reason (budget_exceeded: request would exceed organization daily cost limit). What you see reported is exactly what is enforced.
2. Start Talon gateway
talon serve --gateway --gateway-config=path/to/talon.config.yaml
Ensure provider keys are in vault (for example talon secrets set openai-api-key "sk-...").
3. Run the 6-step demo flow
- Configure a very low
cost_limits.dailyforsupport-slack-bot - Send one request that is allowed
- Send a second request that would exceed budget
- Verify Talon denies before the provider call
- Verify signed evidence exists for the denial
- Verify dashboard budget utilization reflects the event
Example calls — the bot authenticates with its agent key ($AGENT_KEY from step 1):
# Allowed request (first call)
curl -sS "http://localhost:8080/v1/proxy/openai/v1/chat/completions" \
-H "Authorization: Bearer $AGENT_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"Summarize ticket #123"}]}'
# Denied request (second call, over cap)
curl -sS "http://localhost:8080/v1/proxy/openai/v1/chat/completions" \
-H "Authorization: Bearer $AGENT_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"Summarize ticket #124"}]}'
Expected deny characteristics:
- HTTP 403
- Machine-readable error code/reason contains
budget_exceeded - No upstream provider execution for the denied call
- Signed evidence row recorded with denial reason and estimated pre-call cost
4. Verify with CLI and dashboard
CLI:
talon costs --tenant default
talon costs --agent support-slack-bot --json
talon costs --by-provider --tenant default
talon costs --agent reports the agent's effective daily/monthly caps — resolved through the same computation enforcement uses, so the numbers can never drift from runtime behavior.
Export cost rows (joinable to signed evidence by evidence_id):
talon costs export --tenant default --agent support-slack-bot --format csv
talon audit export --tenant default --agent support-slack-bot --format signed-json
HTTP/API equivalents:
GET /v1/costsGET /v1/costs/budget?agent_id=support-slack-botPOST /v1/costs/export
Dashboard:
/gateway/dashboardfor the real-time agent/model/provider operational view/dashboardfor the evidence-backed governance view and drill-down
Cost visibility vs caps vs evidence attribution
- Cost visibility: today/month totals and breakdowns by tenant/agent/model/provider
- Hard budget caps: deny requests that would exceed the effective daily/monthly cap before the provider call
- Evidence-backed attribution: every allow/deny is signed and traceable by evidence ID, including budget-denied rows with zero provider cost and denial reason
This is the launch narrative connection to evidence integrity:
Verified evidence proves both governance decisions and cost attribution.
Native agents (no gateway)
The same agent.talon.yaml governs talon run — same file, same caps, same derived tenant:
policies:
cost_limits:
per_request: 0.50
daily: 20.00
monthly: 400.00
Next steps
| I want to… | Doc |
|---|---|
| Verify signed exports and tamper checks | How to export evidence for auditors |
| Understand dashboard metrics schema | Gateway dashboard |
| Add more agents/models | Configuration and environment |
| Apply additional governance snippets | Policy cookbook |