What Counts as Abuse
For an AI API, abuse isn’t just “high usage.” It’s behavioral patterns that indicate misuse:- Mass reselling traffic through a single key
- Sudden massive spikes in token consumption
- High concurrency from a low-age account
- Automated scraping or proxying
- Shared API keys across many users or IPs
- 24/7 maxed-out throughput usage
- Unusual token patterns (e.g., huge context windows on every request)
Dynamic Percentile Thresholds
Instead of hard-coding a flat token limit, ShuttleAI uses a dynamic percentile system that scales with real usage across each plan tier.How it works
- We calculate a rolling 15-day total tokens used per user within each tier.
- We compute the 99th percentile of that tier.
- Users above the 99th percentile are flagged for review.
Percentiles are computed per tier. Free users do not affect Premium thresholds, and Premium users do not affect Scale thresholds. Full tier isolation is enforced.
Rolling Usage Windows
ShuttleAI does not use calendar-month resets. We track usage on:- Rolling 15-day window — catches short burst abuse
- Rolling 30-day window — catches sustained overuse
Concurrency & Rate Limits
Tokens alone don’t tell the full story. We also enforce concurrency and rate limits per tier:| Plan | Concurrent Requests | RPM Cap | TPM Cap |
|---|---|---|---|
| Free | 2 | Low | Low |
| Basic | 5 | Moderate | Moderate |
| Premium | 15 | High | High |
| Scale | Custom | Custom | Custom |
- Requests per minute (RPM)
- Parallel / concurrent requests
- Burst usage patterns
- Tokens per request
- Tokens per minute (TPM)
- Model mix usage
Reselling & Proxy Detection
Reselling ShuttleAI access is the single biggest abuse risk. Someone buying a Premium plan and reselling GPT-5.2 access at a markup undermines the entire platform.What reselling looks like
- Very high concurrency sustained 24/7
- Multiple different user agents on a single key
- Referrer or origin mismatches
- Wide geographic IP spread
What we track
- Unique IPs per API key
- IP entropy score — measures how “spread out” the IPs are
- Geographic distribution
- Session behavior patterns
Anti Key-Sharing Protections
To prevent casual key sharing:- Optional IP locking — restrict a key to specific IPs
- Device fingerprinting — track usage environments
- HMAC signature requirement — available for advanced integrations
- Per-key environment tagging — label keys by use case
- Automatic key rotation on abuse warning — compromised keys are cycled immediately
| Component | What It Measures |
|---|---|
token_percentile_score | Where you fall in your tier’s token usage distribution |
concurrency_score | How many parallel requests you sustain |
ip_entropy_score | How many unique IPs / how spread out they are |
burst_score | Short-term spikes in requests or tokens |
uptime_score | Whether usage is continuous 24/7 (bot-like) |
Warning & Enforcement Escalation
When abuse is detected, ShuttleAI follows a graduated enforcement ladder:Warnings are permanent on your account record. Repeated violations escalate faster.
Transparency Policy
We believe in being transparent about what we protect against, without giving abusers a roadmap.Published (this page)
- Safe floor numbers per plan
- General abuse policy and enforcement steps
- Types of behavior we monitor
Not Published
- Exact dynamic threshold values
- Exact percentile formula and weights
- Abuse score formula coefficients
Summary
| Allowed | Not Allowed |
|---|---|
| Using the API in your own app | Reselling API access to others |
| Building tools for personal use | Offering a proxy / wrapper API |
| Moderate, direct application traffic | Excessive or redistributed traffic |
| Using a normal amount | 24/7 maxed-out bot-like usage |
Questions about a specific use case? Reach out on Discord and we’ll help you figure out if it fits.