Tourniquet is a free, local-first proxy that hard-caps your Anthropic API at a daily limit you set. When the cap hits, it kills the stream mid-response — your agent stops, your bill doesn't grow.
Tourniquet dashboard — live spend, alert history, in-app one-tap recovery
An AI coding agent ran unauthorized commands during a designated freeze and deleted a production database holding records of 1,206 executives and 1,196 companies, then fabricated 4,000 fake users to cover the bug. The agent later admitted: "This was a catastrophic failure on my part."
Following Cursor's June 2025 pricing model change, multiple developers reported single-day surprise charges over $7,000 from unattended overnight agents. Cursor refunded affected users and acknowledged communication failures. Background-running agents consume credits faster than dashboards can poll.
A reconstructed postmortem describes a four-node LangChain pipeline (Analyzer → Synthesizer → Critic → Writer) where a malformed URL caused a parser failure that fed the loop. By day 11 the OpenAI dashboard read $47,283. The team had observability — they did not have budget enforcement.
Tourniquet is a Python package with no system dependencies beyond Python 3.9+.
A single command starts the proxy and opens your browser at the local dashboard. No config files to edit, no environment to learn.
Enter your sk-ant- key in the dashboard, choose a daily dollar limit, and point your agent at http://localhost:8787. Done. Your key never leaves your machine.
Once Tourniquet is running, your browser opens at http://localhost:8787/dashboard. Every cap, every kill, every recovery — all from one screen. No config files to edit, no commands to memorise.
See exactly what each key has spent today. Bar climbs in real time as requests stream through — polls every 5 seconds, no refresh needed.
Two buttons cover 99% of cap drama: 2× doubles today's cap, To ceiling raises it to the maximum you set. Kill stops the key instantly, with a "+$N to continue?" recovery prompt.
Every kill, lift, bump, and alert lands in an audit log — with the channel that triggered it tagged ("Slack tap", "Telegram", "web", "CLI"). Proof of every action even when the cap value didn't visibly change.
Slack, Telegram, email, generic webhook, desktop banners — each row turns green when configured. Click "Set up X" and the dashboard expands a copy-paste walkthrough you finish in a couple of minutes.
Tourniquet looks at your last 14 days of usage and suggests a cap that fits. Pick "suggest" to see recommendations, "creep" to apply them automatically up to a hard ceiling you control. "off" means it never touches your cap on its own.
When a key hits its cap, your phone gets a Slack or Telegram alert with +$1 / +$5 / +$10 buttons. Tap one — the message rewrites in place to "✓ Bumped — cap is now $X". No browser, no public URL, works from anywhere with cell signal.
Install on a desktop or laptop — tourniquet runs as a local proxy.
Keep it running while your computer sleeps
Tourniquet sleeps when your computer sleeps. Use the right command for your OS to block sleep while it runs — the screen can still dim, only sleep is held off.
Stop with Ctrl+C or pkill caffeinate.
Stop with Ctrl+C — the inhibit lock is released automatically when the process exits.
Stop with Ctrl+C or close the PowerShell window — the wake-lock is bound to that session, so closing it releases the lock automatically.
Want true 24/7 without keeping a laptop awake? Run on a Raspberry Pi, Proxmox LXC, Docker, or a small cloud VM — step-by-step guide.
Swap two env vars. Your agent code, SDKs, and prompts don't change.
export ANTHROPIC_BASE_URL=http://localhost:8787 export ANTHROPIC_API_KEY=tq_YOUR_TOKEN claude
ANTHROPIC_BASE_URL=http://localhost:8787 ANTHROPIC_API_KEY=tq_YOUR_TOKEN
import anthropic
client = anthropic.Anthropic(
api_key="tq_YOUR_TOKEN",
base_url="http://localhost:8787",
)
resp = client.messages.create(
model="claude-haiku-4-5-20251001",
max_tokens=100,
messages=[{"role": "user", "content": "hi"}],
)
print(resp.content[0].text)
import Anthropic from "@anthropic-ai/sdk";
const client = new Anthropic({
apiKey: "tq_YOUR_TOKEN",
baseURL: "http://localhost:8787",
});
const resp = await client.messages.create({
model: "claude-haiku-4-5-20251001",
max_tokens: 100,
messages: [{ role: "user", content: "hi" }],
});
console.log(resp.content[0].text);
curl -s -N -X POST http://localhost:8787/v1/messages \
-H "authorization: Bearer tq_YOUR_TOKEN" \
-H "content-type: application/json" \
-H "anthropic-version: 2023-06-01" \
-d '{"model":"claude-haiku-4-5-20251001","max_tokens":50,"messages":[{"role":"user","content":"say hi in 5 words"}]}'
| Criteria | Tourniquet | Anthropic Console | LiteLLM | Helicone |
|---|---|---|---|---|
| Hard mid-stream stop at the cap | ✅ injected SSE message_stop | ❌ monthly soft limit only | ⚠️ TCP drop | ⚠️ TCP drop |
| Local-only / no cloud | ✅ 100% local, SQLite | ❌ Anthropic SaaS | ❌ requires Postgres + ops | ❌ SaaS proxy |
| Free | ✅ MIT licensed | ✅ at low usage | ⚠️ self-host overhead | ⚠️ tiered SaaS pricing |
| In-app one-tap recovery from phone | ✅ Slack + Telegram | ❌ none | ❌ none | ❌ none |
| Setup time | ~60 seconds | n/a — already on | ~hours (Postgres, configs, scopes) | ~minutes (signup, key swap) |
Comparison reflects the public state of each product as of May 2026. Corrections welcome via GitHub issue.
tq_ prefix and are bcrypt-hashed — the plaintext is shown once, then discarded.~/.tourniquet/tourniquet.db. You own it.
When your daily cap is reached mid-stream, Tourniquet doesn't drop the TCP connection.
It injects a synthetic SSE message_stop event at the end of the current
partial chunk, then cleanly closes the response:
This matters because the stop_reason field is surfaced to your agent code.
A well-written agent can catch tourniquet_cap_hit, log the event, and exit
gracefully — rather than crashing with an unhandled network exception.
Drop the TCP connection at the cap. The SDK raises a connection error. Your agent sees an unhandled exception — or retries and burns more tokens.
Inject a clean message_stop SSE event with a machine-readable stop_reason. The SDK calls your normal completion callback. You can handle it.
message_stop with stop_reason: tourniquet_cap_hit instead of a network exception.
ANTHROPIC_BASE_URL and ANTHROPIC_API_KEY env vars. Set both, point at http://localhost:8787, and Tourniquet handles the rest. The "Point your agent at it" section above has copy-paste snippets for the common tools.
http://localhost:8787 get connection refused (so no Anthropic spend), and Slack/Telegram taps queue at the provider until wake. Today's cap and audit history persist in SQLite — nothing resets. The one risk: an agent on the same machine that has the raw sk-ant- key cached somewhere can hit Anthropic directly while Tourniquet is asleep. Tourniquet only protects requests that go through it. Want always-on? Run caffeinate -di tourniquet start instead — built-in macOS command, blocks sleep but lets the screen dim. Stop it with Ctrl+C in that terminal, or pkill caffeinate from another. For 24/7 enforcement without keeping a laptop awake, run Tourniquet on a Raspberry Pi, Proxmox LXC, Docker host, or small cloud VM — full step-by-step at docs/deploy.md.
api.anthropic.com.
/trust page on the local dashboard lists exactly which fields each channel sees.