Stop Burning Money
on AI API Calls
TokPinch is the cost proxy that sits between OpenClaw and your LLM provider. Track every token, enforce budgets, detect runaway loops, and route to cheaper models — automatically.
Or skip the setup → join the Cloud waitlist
That's it. One line. Full cost control.
The Problem
OpenClaw Is Amazing.
The Bills Aren't.
AI agents are powerful — but without guardrails, they can drain your wallet faster than you can type a prompt.
$3,600/mo
Shocking bills from uncontrolled usage
Developers are reporting monthly bills they never saw coming. With no visibility into per-request costs, a single runaway agent can burn through your budget before you notice.
Reported by OpenClaw community on GitHub
$200 overnight
Budget burned while you slept
One heartbeat bug loop — a stuck agent pinging the API every second — burned through an entire monthly budget before the developer woke up. Zero alerts. Zero warnings.
Real incident reported on the OpenClaw Discord
Zero visibility
You can't control what you can't measure
Most OpenClaw users have no idea which agent is costing the most, which sessions are wasteful, or which models are being used. Without data, there's no way to optimise.
Common complaint in r/ClaudeAI and OpenClaw discussions
Real reports from the OpenClaw community on GitHub, Discord, and Reddit.
Features
Everything You Need to Control AI Costs
Built by developers who got burned. Every feature exists because someone, somewhere, lost money without it.
Real-time Cost Tracking
Every request logged with model, tokens, cost, and session. Dashboard updates via WebSocket in real time — no refresh needed.
Budget Enforcement
Set daily and monthly limits. TokPinch pauses requests at 100% and warns at 80%. Never get a surprise bill again.
Loop Detection
Detects runaway agents: rapid-fire requests, repeated content, cost spirals, heartbeat storms. Automatic cooldown with exponential backoff.
Smart Model Routing
Automatically routes cheap tasks — heartbeats, short messages — to Haiku instead of Opus. Save 10–50% without losing quality.
Multi-Provider Support
Works with Anthropic and OpenAI out of the box. Same proxy, same dashboard, unified cost view across all your models.
Security First
API keys pass through, never stored or logged. Docker hardened with read-only filesystem, non-root user, and no-new-privileges.
How It Works
Up and Running in 3 Minutes
No SDK changes. No code modifications. Just a proxy URL and you're done.
Install
Run TokPinch with Docker in under 30 seconds. Or install via npm for local development.
docker compose up -dConnect
Add one environment variable to your OpenClaw config. That's the entire integration.
ANTHROPIC_BASE_URL=http://localhost:4100/v1Control
Open the dashboard at :4100/dashboard. Set budgets, watch costs live, get alerts before bills surprise you.
open http://localhost:4100/dashboardservicestokpinchimage ghcr.io/TobieTom/tokpinch:latestports- "4100:4100"environment- DASHBOARD_PASSWORD=your-password- BUDGET_DAILY=10- BUDGET_MONTHLY=200volumes- tokpinch-data:/app/dataread_only truesecurity_opt- no-new-privileges:truevolumestokpinch-data
Dashboard
Command Center for Your AI Costs
Everything you need to understand, control, and optimise your LLM spend — in one real-time dashboard.
Today
$0.83
This Week
$4.21
This Month
$12.47
Avg. Daily
$0.71
Security
Built for the OpenClaw Security Crisis
OpenClaw is a powerful attack surface. TokPinch was designed from day one with defense-in-depth.
API Keys Never Touch Disk
TokPinch is a pure pass-through proxy. Your API keys are read from the incoming request header, forwarded to the upstream provider, and immediately discarded. The pino logger is configured to redact authorization, x-api-key, and 15 other secret field patterns before any log line is written.
What gets stored in SQLite
| Column | Value |
|---|---|
| model | claude-opus-4-5 |
| input_tokens | 2847 |
| cost_usd | 0.0423 |
| session_id | sess_abc123 |
| timestamp | 1706745600000 |
| blocked | 0 |
| api_key | ❌ never stored |
| message_content | ❌ never stored |
Security checklist
- API keys never stored or logged — redacted in all log output before writing
- Zero message content on disk — only metadata (model, tokens, cost, session)
- Docker hardened: non-root user, read-only filesystem, no-new-privileges
- JWT auth with auto-generated 512-bit secrets, 24-hour expiry
- Rate limiting on all endpoints: proxy routes, API, and login (5 attempts/min)
- WebSocket token re-validated on every incoming message
- Per-route CORS enforced with strict origin allowlist
- Content-Type validation on all proxy requests — no request smuggling
- Test endpoints auto-disabled in production (return 404)
- Full SECURITY.md with responsible disclosure process
Pricing
Start Free, Scale When Ready
The core proxy is free and open source forever. Pro features coming soon for power users who need more.
Free
For individual developers
- Full dashboard (Overview, Sessions, Budget, Alerts)
- Real-time cost tracking via WebSocket
- Budget enforcement (daily & monthly)
- Loop detection with auto cooldown
- 1 TokPinch instance
- Community support (GitHub Issues)
- Smart model routing
- Email / Telegram alerts
Pro
For power users
- Everything in Free
- Smart model routing (save 10–50%)
- Email & Telegram budget alerts
- Priority support
- Up to 3 instances
- Advanced routing rules
- Unlimited instances
- Team dashboard & SSO
Team
For teams & agencies
- Everything in Pro
- Unlimited instances
- Team dashboard
- Cost allocation by project
- SSO (SAML / OIDC)
- Dedicated SLA
- Custom routing rules
- Audit log export
All tiers include self-hosting. Your data never leaves your infrastructure. View the source code on GitHub.
TokPinch Cloud
Don't Want to Self-Host?
TokPinch Cloud is coming. Same powerful dashboard, zero infrastructure. Point your OpenClaw at our managed proxy and we handle the rest.
We'll only email you when Cloud launches. No spam.
100% Open Source. MIT Licensed.
TokPinch is free to use, modify, and self-host. No vendor lock-in, no telemetry, no surprises. Star us on GitHub to follow along.