The support ticket came in at 11 am on a Tuesday. 

An AI API company we work with was describing a problem that had surfaced overnight. One of their users had burned through $400 in prepaid API credits and then kept going for another $180 before the system caught it. 

The gating check was reading from a cached balance that was five minutes stale. Five minutes is a long time when a user is running a batch job at 3,000 requests per minute. 

The team had built credit gating into their product. It was just the wrong kind.

Credit gating is one of those things that sounds straightforward until you try to implement it at a production scale. 

The basic idea is simple: before you serve a request, check if the user has enough credit. If they do, serve it and deduct. If they don't, block it. Three steps.

The hard part isn't the logic. It's the timing, the concurrency, the expiry ordering, and the question of what "current balance" actually means for a user who is sending hundreds of requests per second.

Here's what a production credit gating implementation needs to handle, and how Flexprice's architecture addresses each piece.

What credit gating actually means

The phrase "credit gating" covers two distinct checks that most implementations collapse into one.

The first check is entitlement-based: does this customer have access to this feature at all? This is plan-level access control. A customer on the free tier doesn't have access to certain features regardless of their credit balance.

The second check is balance-based: does this customer have enough credits to pay for this specific request? This is consumption-based access control. The customer has the feature, but they may have run out of prepaid units.

Collapsing these into a single check works fine at low volume. At scale, they fail in different ways at different moments, and you need to handle them independently.

The entitlement layer

In Flexprice, entitlements represent "the benefits a customer gets from a subscription plan." When a customer subscribes to a plan, Flexprice assigns the associated entitlements automatically based on the plan's configuration.

Three types of features can be attached to an entitlement:

• Boolean features 

This is the simplest form of gating. The customer either has access or they don't. When you check this entitlement, you're reading a single IsEnabled flag. There's no balance involved. A customer on the free plan has IsEnabled: false for the premium API. A customer on the growth plan has IsEnabled: true.

• Metered features 

This is where it gets interesting. Each metered entitlement has a UsageLimit (nil means unlimited), a UsageResetPeriod (monthly, yearly, one-time), and an IsSoftLimit boolean. The IsSoftLimit field is the one most implementations ignore: if it's true, the system allows usage beyond the limit rather than blocking it. You still track and bill for the overage. You just don't deny the request.

• Config features return a static value. Useful for things like "max file size" or "rate limit tier" that vary by plan but don't involve consumption.

Creating an entitlement that attaches a metered feature to a plan:

POST /v1/entitlements
{

  "entity_type": "plan",

  "entity_id": "plan_growth_01",

  "feature_id": "feat_api_calls_01",

  "feature_type": "metered",

  "usage_limit": 100000,

  "usage_reset_period": "monthly",

  "is_soft_limit": false
}
With is_soft_limit: false, the system tracks usage against usage_limit: 100000. When a customer's metered usage for the current period hits that ceiling, the gate blocks access for the rest of the period.

With is_soft_limit: true, the system continues serving beyond the limit and bills for the overage. This is the right choice for most production AI API products. Cutting off a customer mid-request because they hit a soft threshold is usually worse than letting them continue and having a conversation about their plan.

The balance layer

Below the entitlement check sits the wallet. Wallets in Flexprice hold prepaid credit balances for a customer. Every wallet tracks two numbers: CreditBalance (in credit units) and Balance (in currency). The relationship between them is Balance = CreditBalance × ConversionRate. This lets you sell credits in bulk at a different rate than the standard conversion. A 20% discount on a large credit purchase is just a different TopupConversionRate.

Creating a wallet and issuing an initial credit grant:
POST /v1/wallets
{

  "customer_id": "cust_abc123",

  "currency": "USD",

  "conversion_rate": 1.0

}
For recurring grants (the kind that replenish automatically each billing period), use cadence: "RECURRING" with a period value:

POST /v1/creditgrants
{

  "name": "Monthly Credit Allowance",

  "scope": "PLAN",

  "subscription_id": "sub_xyz789",

  "plan_id": "plan_growth_01",

  "credit_amount": 200,

  "currency": "USD",

  "cadence": "RECURRING",

  "period": "monthly",

  "expire_in_days": 60
}
The expire_in_days The field sets how long each credit tranche lasts. When credits expire, the system generates a corresponding debit transaction automatically so the ledger stays accurate.
Checking balance in real time

The balance check before serving a request uses a single endpoint:

GET /v1/wallets/{wallet_id}/balance/real-time

The response includes the current balance with pending usage factored in. For prepaid wallets, the real-time calculation subtracts pending usage charges and unpaid invoices from the stored balance. This is what separates a real-time balance check from a cached one: the number reflects what's actually been consumed, not what was committed to the database at the last reconciliation.

For latency-sensitive paths, the balance API is designed for a p95 target under 100ms. The architecture that makes this possible: usage events flow through Kafka into a ClickHouse aggregate table (agg_usage_period_totals) via a materialized view. The balance query reads from that aggregate table, not from raw events. No full event scan on the hot path.

For the highest-volume gating paths, the endpoint also supports a get_from_cache parameter that trades some freshness for lower latency. The cache has a configurable staleness window via max_live_seconds. The right value depends on your risk tolerance: a 10-second stale cache is fine for a dashboard, but not for gating at 3,000 requests per minute.

If you're resolving a customer by their external ID rather than their internal Flexprice ID:

GET /v1/customers/wallets?external_customer_id=cust_external_001

This returns all wallets for that customer, which you can then check individually or in aggregate.

The Gating Pattern in Practice

Here's the sequence a properly implemented credit gate runs on every incoming request:

Step 1: Check entitlement.

GET /v1/entitlements?entity_type=subscription&entity_id=sub_xyz789&feature_id=feat_api_calls_01

If the entitlement doesn't exist, the customer doesn't have access to this feature. Return 403.

If the entitlement exists and feature_type is boolean, check is_enabled. If false, return 403.

If feature_type is metered and is_soft_limit is false, you'll need to compare current usage against usage_limit. If current usage is at or above the limit, return 429 with a clear message about the period reset date.

Step 2: Check wallet balance.

GET /v1/wallets/{wallet_id}/balance/real-time
If balance is 0 or below, return 402. The customer needs to top up.

Step 3: Serve the request.

Step 4: Ingest the usage event.
POST /v1/events
{

  "event_name": "api_call",

  "external_customer_id": "cust_external_001",

  "timestamp": "2026-04-09T14:32:00Z",

  "properties": {

    "model": "gpt-4o",

    "tokens_used": "1200"
}
}
For high-volume event ingestion, the Go SDK's async client batches events and sends them in the background:

asyncConfig := flexprice.DefaultAsyncConfig()

asyncClient := client.NewAsyncClientWithConfig(asyncConfig)

defer asyncClient.Close()

asyncClient.Enqueue("api_call", externalCustomerID, map[string]interface{}{

    "model":       "gpt-4o",

    "tokens_used": 1200,
})

This keeps the post-request path non-blocking. The batch flushes on a configurable interval rather than per-event.