Product design

Pricing, entitlements and credits

Today every AgencyCore org gets the whole platform, and there is no way to sell a smaller package, charge for how much AI work an org runs, or cap how many people use it. The business has decided to sell the platform in tiers instead - CRM only, agents only, a single agent, and network access - with individual apps to be sold separately later, a pool of usage credits in every plan, and support for multiple users per org. This page walks through what was decided, what already exists in the code, and how the new model works, then ends with the questions still open for the team to settle.

Mechanisms entitlements · credits · limitsPlans CRM · Agents · EverythingDelivery 2 tickets
Plan templateOrg grantsResolved snapshotEnforce
00

The plan in one view

Today an org either has AgencyCore or it does not: there is no switch to turn on the CRM but not the agents, no meter on how much AI work it runs, and no cap on how many people it seats. Selling tiers means adding all three, and the model keeps them as three independent mechanisms so each stays simple. An entitlement is a per-org on/off switch for one module - can this org use the CRM at all? A credit is the single currency every AI and agent action spends, drawn from a balance that refills each billing period. A numeric limit is a plain plan-set quota, such as the seat count or the daily email volume. Keeping them separate is what lets a plan mix and match modules, a credit stay one currency, and a limit stay a plain number. This page covers the mechanism, not the final price list.

EntitlementsCan this org use this module at all?A per-org on/off switch for each module, keyed by a neutral slug so it does not matter whether the module is an app or an agent.
CreditsHow much AI and agent work?One shared balance per billing period; every metered action spends from it at a set price.
LimitsHow many, how often?Plan-set quotas, currently the seat count and the daily email send cap.

Twelve decisions settle the shape of the model. Grouped into three themes below, each one states the call that was made and why; the sections that follow expand the reasoning, and the linked Linear document holds the full detail.

Packaging and pricing
PackagingPlans are built from module switches with per-org overrides on top, so sales can assemble any bundle without a code change.
Sales motionAn admin sets each org plan; the customer only sees a usage and plan page, since self-serve checkout is not being built yet.
Apps vs agentsModules are keyed by neutral slugs, so an item can move between the app and agent runtimes without rewriting any plan.
NetworkOne on/off key covers the whole shared marketplace, rather than a separate key per network feature.
Usage and limits
CreditsAll metered AI and agent work spends from one credit balance, not separate per-feature counters, so a customer tracks a single number.
OverageAn org gets a warning at 80 percent of its credits and a hard stop at 100, rather than silent overage billing.
SeatsEach plan caps the number of seats, but credits stay pooled across the org rather than split per user.
EmailDaily send volume is capped per plan, and a global send-spacing rule protects shared deliverability for everyone.
Rollout and motion
GrandfatheringEvery org that exists at launch moves to the full Everything plan at its current price, so nobody loses access on day one.
TrialsA module can be trialed with a time-boxed grant row that expires on its own, reusing the same grant mechanism as paid add-ons.
LapseWhen a plan lapses or downgrades, its modules drop to read-only rather than vanishing, so data is never lost.
RBACOnly a minimal set of user roles ships now; full role-based access control is deferred to keep this scope shippable.
01

Where we are today

Some of this already exists. A first billing integration shipped recently: during onboarding the org's card is captured, and an admin triggers the first charge by hand, since there is no self-serve checkout. That work also added a catalogue of plans and a subscription state machine to the database. What it does not do is gate any module or meter usage, and that is what this initiative adds. Four facts from the codebase set the starting line.

Billing foundation is liveOn staging today: the plan catalogue, one subscription per org, custom per-org pricing, card capture during onboarding, Stripe webhooks, and triggers that lock an org out on non-payment.
Nothing is gated yetThe only access checks in production are login, superadmin, and onboarding guards; every app that ships auto-installs into every org, so all orgs see the whole platform.
Usage metering is only half wiredExa, Firecrawl, and Parallel already record usage; Hunter.io, Explorium, FullEnrich, Nylas email sends, and managed-agent runs do not, so a lot of billable work is currently invisible.
There is no concept of a seatMembership stores a role value on a single router; there are no invitations, no seat counts, and the frontend does not read roles at all.
depOne piece of the billing work has to land first

The billing integration has a final phase still being finished - letting an admin activate a subscription and handling the Stripe lifecycle webhooks. It rewrites the same admin subscription screens this work builds on, so this initiative waits for it to merge rather than colliding with it.

02

How gating works

Gating is built from three pieces. An entitlement key is a neutral slug for one module (crm, sonar, envoy, and so on); it deliberately does not say whether that module is an app, an agent, or a core feature, so a module can move between runtimes without touching any plan. A plan template is the set of keys a plan turns on. A grant is a per-org exception row that adds a key the plan lacks, removes one it has, or trials one with an expiry date. A resolver service combines the plan template with the org's grants into a single resolved snapshot of which modules the org can use, caches it in Redis, and rebuilds it whenever a plan or grant changes.

Entitlement keys
crmContacts, companies, pipeline, tasks, lists, inboxCRM routers, CRM routes, sidebar
sonarSonar agent appApp install layer, workflow run start
headhunterHeadhunter agent appApp install layer, workflow run start
envoyEnvoy agent appApp install layer, Envoy routers, workflow run start
networkReferral marketplace (post plus browse and claim), news, Slack invitesNetwork routers and routes
analyticsAnalytics dashboardsAnalytics router and route
asset_libraryDocuments, playbooks, battlecardsPlaybooks and battlecards routers, asset routes
base platformSettings, profiles, notifications, onboarding, terms, data layernever gated

That snapshot has to be checked everywhere a change can be written, not only at the API routes, because background jobs and the workflow engine write data without going through a route. Enforcement therefore lives at the four points below, all in the API and frontend layers; pushing entitlement checks down into database row-level security is deliberately left out of the first version.

API dependencyA require_feature(key) dependency, one line per router, that blocks writes and agent-run starts and returns a structured reason the frontend can show.
Service helperThe same check callable from the workflow engine and Celery jobs, so writes that never pass through an API route still cannot slip past.
Frontend guardRoute metadata beside the existing superadmin guard, plus nav hiding, locked states, and upsell prompts for modules the org does not have.
App install syncInstalling and uninstalling apps follows the entitlements, replacing the trigger that currently auto-installs every app into every org.

Try it below. Pick a base plan, then click the entitlement chips to add modules as grants, or pick one module to trial. The resolved snapshot on the right shows exactly which modules the org ends up with and where each one came from. Cross-module actions - an action in one module that reaches into another, such as adding a person to the CRM from an agent app - check the target module's key, so the list of what is allowed flips live as you add and remove access.

Base plan
Entitlements click a module to grant it as an add-on
Trial one module a time-boxed grant that unlocks like any other
Resolved snapshotplan + grants
5modules
3seats
8,000credits / mo
Unlocked modules
sonarplanheadhunterplanenvoyplananalyticsplanasset_libraryplan
Cross-module actions
Sync to CRM / add to CRMcrm
Add to listcrm
Enrol in sequenceenvoy
Refer to network poolnetwork
Browse or claim from networknetwork
Enrich company or personcrm + cr
03

How credits work

A credit is the single balance an org spends on AI and agent work, and it refills each billing period. Work is priced per metered action - a named user action with a fixed credit price, such as running Sonar once or enriching one company - not per underlying API call, so the price does not swing with how many calls a feature happens to make. The list of metered actions is a registry in code, so a typo cannot quietly meter nothing, and the prices sit in a table an admin can tune without a deploy. Each action checks the balance before it runs: at roughly 80 percent used the org gets a warning through the notification system, at 100 percent credit-spending actions stop, viewing data the org already has is never blocked, and an admin can sell a top-up pack to add more. Spend some credits below.

0of 10,000 credits used10,000 remaining
080% warn100% stop
Viewing existing data is never blocked. Only credit-spending actions check the balance.
Metered actions flat price per action
Metering gaps to close first
Hunter.ioExploriumFullEnrichNylas sendsManaged-agent runsOrg-facing usage page
04

Limits, trials and lapse

Three more rules sit beside the module switches, all read from the same resolved snapshot. Numeric limits cap how much an org can do, trials open a module for a fixed window, and lapse - what happens when a plan stops being paid for or is downgraded - decides what an org can still do once its access is pulled.

Numeric limits

A seat cap per plan, enforced when a member is added. A daily email send cap that scales with the tier and applies to every plan, because one compromised org sending spam damages sending reputation for everyone. A global spacing rule on outgoing mail is deliverability hygiene, not something a customer can buy more of.

Per-module trials

A trial is just a grant row marked as a trial with an expiry date, the same kind of row the composer above toggles. It unlocks the module like any other grant, so every enforcement point already handles it with no special case. The trialed module shows a countdown, and a scheduled job removes the grant when it expires.

Lapse and downgrade

When a plan lapses or downgrades, the affected modules go read-only: existing data stays visible, but writes and credit-spending actions stop, and any running sequences or schedules pause cleanly rather than erroring. A fully lapsed subscription drops every module to read-only no matter which keys the plan held.

05

Rollout and delivery

No existing customer loses anything at launch. A one-time migration puts every current org on the Everything plan at the price it already pays - the grandfathering step - and any repricing is a later sales conversation. Enforcement then switches on in the deliberate order below: it ships dark first, meaning the resolver runs and works out what each org should have but blocks nothing, so it can be checked against reality before it can lock anyone out. The build splits into two tickets because the halves are independent. One builds the gating layer - plans, grants, the resolver, and enforcement. The other builds the usage and credits layer - metering, the ledger, and email caps - and its metering phase does not depend on the first ticket, so it can start in parallel.

1
Ship enforcement darkthe resolver runs for every org but nothing is blocked
2
Verify the snapshotscheck each org resolves to the access it should have
3
Turn on frontend gatingnav hiding, locked states, upsell prompts
4
Turn on API enforcementsoak on staging first, then production
Ticket AEntitlements: composable plans, module gating, seats, and trials
P1
Model and resolution

The plan template schema, the grants table, the resolver and its snapshot cache, an extended subscription endpoint, and the admin UI for composing plans and managing grants.

P2
Enforcement

The require_feature dependency and its service-layer twin, registered on every router; agent run-start checks; the frontend guard, nav hiding, and locked states; cross-module action checks; entitlement-driven app install; read-only lapse; and the seats-and-limits framework.

P3
Trials and launch

Trial grants with their expiry sweep and UI; the grandfathering migration; dark-launch verification; and the staged switch-on.

Ticket BUsage credits: metering, the ledger, email caps, and top-ups
P1
Metering and visibility

Usage metering for the providers that lack it (Hunter, Explorium, FullEnrich, Nylas sends, managed-agent runs), plus an org-facing usage endpoint and a customer usage page.

P2
Credit system

The registry of metered actions, the price table with admin editing, the ledger and per-period balances, the pre-flight balance check, and the warnings sent through notifications.

P3
Email protections and top-ups

Per-plan daily send caps, the outgoing-mail spacing rule, top-up packs, and admin worklists for watching usage.

Out of scope for the first version
  • Full per-feature role-based permissions, custom roles, and an audit log UI
  • Self-serve plan purchase, upgrade checkout, and a public pricing page
  • Per-seat pricing in Stripe with proration
  • Metered billing through Stripe and automatic overage invoicing
  • The marketplace product itself (the browse-and-install experience)
  • Invitations and self-serve team management
06

Discussion points

This page exists to drive a planning conversation. Everything below is still open - a decision to make, not a design already settled. Each item is a question with enough context to take a side; come with a position on each.

01

Who owns each ticket, and when does this run?

The gating ticket and the credits ticket each need an owner, and the work has to be slotted against the agent runtime migration already underway. The credits ticket metering phase is the natural piece to run in parallel, since it does not depend on the gating layer.

02

What happens to the existing entitlements-and-roles ticket?

A backlog ticket already covers both entitlements and role-based access. This spec replaces its entitlements half. The proposal is to re-scope that ticket down to just the deferred role work (role hierarchy, permission primitives, UI guards, audit log) rather than close it. Agree?

03

Is this the right list of modules?

The proposed paid modules include analytics and the asset library, while the underlying data layer stays free for every org. Does that match where those features are heading?

04

Is this the right starting set of metered actions, and which are free?

The registry prices a handful of actions (Sonar and Headhunter runs, enrichment, agent runs, email drafts). We need to agree that initial list and which actions launch priced versus free; email sends, for instance, are priced at zero today.

05

How should credits be priced, and how big should each allowance be?

Prices need a margin approach applied to the real cost data the usage rollup will collect, and each plan needs a sensible monthly credit allowance. Both are placeholder numbers on this page.

06

When does the marketplace split into apps versus agents, and does any of it land here?

The neutral slugs are designed so a module can later move between the app and agent runtimes. The open question is timing: whether any marketplace install surface ships with this work or strictly after it.

07

Will the launch check every org before enforcement turns on?

Before enforcement is enabled, the dark-launch verification has to confirm every existing org resolves to the access it should have, including comped and demo orgs that are easy to miss. Confirm that sweep is in scope.

AgencyCore · Pricing, entitlements and creditsentitlements · credits · limits