type: rule
status: active
timestamp: 2026-06-23
tags: [rules, billing, free-tier, cost-controls, card-allowed]

Card-on-file allowed BUT only on free-tier-safe providers with hard cost controls

Card-on-file OK with hard $0 spend cap

Card-on-file allowed — with hard cost controls

What changed 2026-06-23

The absolute “no card-on-file” rule is lifted. User decision: cards are fine, but a service must meet ALL three criteria before adding it:

  1. Real perpetual free tier — not a 30-day trial, not a credit grant. Tier must be $0/mo when usage = X.
  2. Hard cost cap available — budgets, spending limits, quotas that REJECT overages instead of charging for them. Or a service that simply stops working when free quota is exhausted.
  3. No silent overage charges — service must NOT auto-charge for quota overflow without explicit opt-in.

The new triage matrix

ProviderFree tierCost cap availableVerdict
Cloudflare (Workers, Pages, KV, D1, R2*)Yes (per-product)Workers stops at 100K/day on Free plan; R2 needs Paid plan with capsKEEP — R2 conditional
AWS Lambda1M req/mo + 400K GB-sec FOREVERAWS Budgets + reserved concurrency = hard capKEEP (rule: aws-lambda-exception)
GCP Cloud Run2M req/mo always-freeCloud Billing Budget alerts + spending limit (account-level)EVALUATE — user has no-Google rule, separate decision
Azure Functions Consumption1M execs always-freeAzure Budgets + spending limitEVALUATE — student account quirks
Firebase BlazeSpark generous; Blaze adds pay-as-you-goDaily quota cap available in Cloud ConsoleEVALUATE — only if Spark caps bite
Fly.io (killed free tier 2024)Nonen/aDROP — no free tier
Render Free750 inst-h/mo, 15-min sleepService just stops if quota exhaustedKEEP — no card needed
Hugging Face Spaces16 GB RAM / 2 CPU freeJust stops; no overageKEEP
Modal Labs$30/mo compute credits freeHard capKEEP
Val.town100K runs/dayJust stopsKEEP
Vercel Hobby1M invocationsCommercial-use BANDROP — license, not cost
NetlifyCredit-pooled (300/mo)Just stopsKEEP — but unpredictable for 25+ sites
RazorpayTEST mode free; LIVE charges per-txnPer-txn, predictableKEEP
Cloudflare R210 GB freeRequires Paid plan to ACTIVATE serviceEVALUATE — now permitted under new rule

What we lift from the old rule

The 5 cheap defensive moves (still apply)

These don’t change — they’re now even MORE important since cards are allowed:

  1. GCP project lien on Firebase project → prevents accidental deletion
  2. AWS Budgets at $1/mo for Lambda exception → email alert before any spend
  3. Service Quotas DECREASE on AWS → cap requests below free tier so overshoot is rejected, not charged
  4. CloudFlare account billing alarm at $0.10/mo via dash → catches R2 if activated
  5. 1Password / Doppler for credentials → cards stay encrypted, not in plaintext .env

What this DOESN’T allow

Migration impact

Cross-refs


Edit on GitHub · Back to index