Pitchbar is self-hosted: your Cloudflare account is billed directly by Cloudflare. The Pitchbar team never sees those invoices and never collects a markup. This page explains exactly which Cloudflare resources Pitchbar uses, what each one does for your app, and where to read the bill.

Setup — token permissions

Create the API token at My Profile → API Tokens → Create Token → Get started — Create Custom Token. Add ALL of the following account-scoped permissions or some features will silently break (LLM works, Vectorize 10000s; or crawl works, embed fails; etc.).

Permission	Level	What breaks if missing
`Account → Workers AI`	Read	Every chat reply + every embedding (visitor messages, indexing) — the whole RAG pipeline.
`Account → Vectorize`	Edit	Creates the chunks index on first run, stores/queries vectors. Without it: `code 10000 Authentication error` or `code 40040 Index not found` on every retrieval.
`Account → Browser Rendering`	Edit	JS-rendered crawl for sites where plain HTTP returns an empty shell (Shopify, Next.js, Vue, Angular SPAs). Without it: falls back to Browserless (if configured) or plain HTTP — many sites yield no chunks.
`Account → Workers R2 Storage`	Edit	Optional. Only needed when you store branding assets or uploaded source PDFs in R2 (vs. local disk / S3).
`Account → Workers Scripts`	Edit	Powers the "Deploy Cron Worker" button at Settings → System → Cron worker, which pushes a small Worker that ticks your queue every 60s. Without it: you'll need a cPanel cron or external uptime ping hitting `/api/v1/internal/queue-tick`.

Resources scope — at the bottom of the token creation form, you'll see "Account Resources" and "Zone Resources." Set Account Resources → Include — All accounts, or explicitly pick the same account whose ID you paste into Settings → System → AI providers → Cloudflare → Account ID. Account-mismatched tokens are the #1 cause of code 10000 Authentication error — the permission list looks correct but the token can't see your account.

Verify in 10 seconds — once you have the token, test from any shell:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://api.cloudflare.com/client/v4/accounts/YOUR_ACCOUNT_ID/vectorize/v2/indexes

A 200 with a JSON list (empty or containing pitchbar-chunks) means token + account are matched. A 10000 means they aren't. A 40040 means matched but the index doesn't exist yet — that's fine, Pitchbar creates it on first indexing run.

Cloudflare is the recommended default because it bundles every primitive Pitchbar needs (LLM, embeddings, vector store, crawler) under one account with generous free tiers. If you prefer not to use Cloudflare, leave the keys blank in Settings → System and Pitchbar falls back to OpenAI or OpenRouter — see Environment variables.

What Pitchbar uses Cloudflare for

Resource	What it does	Free tier (as of 2026)
Workers AI — chat	Generates every visitor reply using `@cf/meta/llama-3.3-70b-instruct-fp8-fast` by default. One call per visitor turn.	10,000 neurons / day (≈ a few thousand short replies). Past that, ~$0.011 per 1k input tokens, ~$0.011 per 1k output tokens.
Workers AI — embeddings	Turns each crawled chunk and each visitor question into a 768-dim vector via `@cf/baai/bge-base-en-v1.5`. One call per chunk at index time, one per visitor turn.	Counted against the same Workers AI neuron pool. Embedding calls are cheap — typically < 1% of chat cost.
Workers AI — reranker	Rescores the top-k chunks returned by Vectorize using `@cf/baai/bge-reranker-base` so the LLM gets the most relevant grounding. One call per visitor turn.	Same Workers AI neuron pool. Negligible compared to chat.
Vectorize	The vector database that stores your crawled content's embeddings and answers nearest-neighbour queries on every visitor turn.	30M stored dimensions + 50M queried dimensions per month free. A typical site (500 pages, ~5k chunks) uses ~3.8M stored — well within the free tier.
Browser Rendering	Crawls JavaScript-heavy pages (React / Vue / Shopify Hydrogen) so we can index content static fetch can't see. Used at indexing time, never on the visitor hot path. Auto-falls-back to plain HTTP for static sites.	10 minutes / day on the free Workers plan; 10 hours / day on the Paid plan ($5/mo). Full re-crawls of a 500-page site typically take 5–15 minutes.

Free-tier numbers are Cloudflare's published values at the time of writing — the Workers AI pricing page, Vectorize pricing page, and Browser Rendering pricing page are the source of truth — Cloudflare updates them periodically.

Realistic monthly cost ranges

These are working estimates, not commitments. Actual cost depends on visitor volume, average reply length, and how often you re-crawl.

Hobby site (≤ 500 visitors / month, < 100 pages indexed) — almost certainly $0 / month. Everything fits in the free tiers.
SMB site (5,000 visitors / month, 500 pages indexed, weekly re-crawl) — typically $0–$5 / month. The Browser Rendering Paid plan ($5/mo flat) is the most likely line item if your site is JS-heavy.
Mid-market (50,000 visitors / month, 5,000 pages indexed, daily re-crawl) — typically $20–$60 / month, dominated by Workers AI chat tokens.

Where to see the bill

Cloudflare bills directly through their dashboard:

Sign in at dash.cloudflare.com with the same account whose Account ID you pasted into Pitchbar.
Open Manage Account → Billing for invoices, or AI → Workers AI → Analytics / AI → Vectorize → Analytics for live usage graphs by model.
For day-by-day Workers AI cost, the Workers AI dashboard shows a \"neurons used\" graph that maps directly to billed usage.

Capping spend

Two safety levers ship in Pitchbar:

Per-plan AI controls. The platform admin's Plans page sets a per-message max_tokens and a monthly message ceiling. Hitting the cap surfaces an upgrade prompt to the visitor instead of burning more tokens.
Cloudflare-side spending limit. In dash.cloudflare.com → Billing → Notifications you can set a budget alert and have Cloudflare email you when usage crosses a threshold.

Switching providers

If you'd rather not use Cloudflare at all:

Leave the Cloudflare Account ID and API token blank in Settings → System and set OPENAI_API_KEY — Pitchbar's provider chain (Cloudflare → OpenRouter → OpenAI) falls through to OpenAI automatically.
OpenAI's chat models are typically more expensive per turn than Workers AI but ship industry-standard quality on gpt-4o-mini and similar.
Vector storage in this mode falls back to a Qdrant instance you host yourself — see Environment variables.

Bottom line. Cloudflare is the cheapest and simplest way to run Pitchbar. Most installs stay within the free tiers; even high-traffic ones rarely cross $50/month. You always have full visibility — the bill lives in your Cloudflare dashboard, not in Pitchbar.