Vercel Pro's $20/month is a platform fee, not a spending cap. Without enabling the Pause feature in Spend Management, usage-based charges can exceed your budget with no automatic cutoff — and the default threshold is $200.
The first month on Vercel Pro, I looked at the billing page and thought: "Wait, I thought this was $20." It wasn't. The problem was that I didn't understand how Spend Management actually works.
This article explains how Vercel Pro's usage-based billing works, what's dangerous about the default settings, and exactly how to lock down your spending. If you're on the Hobby plan considering an upgrade, read this before you switch.
Vercel Pro Is Not a Flat $20/Month
Vercel Pro costs $20/month, but that's the platform fee, not a spending cap. Here's what that $20 actually covers:
| Resource | Hobby (Free) | Pro ($20/mo) | Overage Rate |
|---|---|---|---|
| Fluid Active CPU | 4 hrs/month | $20 credit offsets | $0.128/CPU-hr+ |
| Provisioned Memory | 360 GB-hrs/month | $20 credit offsets | $0.0106/GB-hr+ |
| Fast Data Transfer (bandwidth) | 100 GB/month | 1 TB/month | $0.15/GB |
| Edge Requests | 1M/month | 10M/month | $2/1M requests |
| Function Invocations | 1M/month | 1M/month | $0.60/1M |
| Monthly Credit | — | $20 | — |
The $20 monthly credit offsets overage charges. Once the credit is used up, everything beyond is billed on-demand with no automatic cap.
Here's where it gets expensive. Bandwidth beyond 1 TB costs $0.15 per GB. That's $15 for 100 GB over, $75 for 500 GB. A traffic spike from a viral post or a bot crawling your site can rack up charges fast.
The "Fluid Active CPU" Trap You're Probably Missing
Since 2025, Vercel Functions run on the Fluid Compute model. Not just builds — SSR (server-side rendering) and API Route execution also count as CPU time and are billed accordingly.
The Hobby plan caps at 4 hours/month. Hit 100% and you get a warning email. Exceed it and your project gets paused automatically.
What counts as Active CPU:
- SSR (App Router server components)
- API Route execution (
/api/*) - Middleware (e.g., next-intl locale detection)
- ISR (Incremental Static Regeneration) revalidation
What doesn't count:
- I/O wait time (database queries, external API calls)
- Static asset serving (CSS, images, JS bundles)
- Pages pre-generated with
generateStaticParams
This means switching article pages from SSR to SSG (static generation) can dramatically reduce Active CPU consumption.
generateStaticParams Alone Isn't Enough
Even if you use generateStaticParams to pre-render all pages at build time, there's a gap in the default behavior. By default, dynamicParams = true, which means Next.js will attempt SSR for any URL not in the static params list.
For example, if a bot hits /en/security/nordvpn-hacked-2024 — a URL that doesn't exist:
- Next.js sees it's not in the static list but tries dynamic SSR anyway
- Data fetch → article not found →
notFound()→ 404 - The 404 result is correct, but the CPU time for SSR is already consumed
For sites migrated from WordPress, or any site where SEO crawlers probe old URLs, this adds up fast.
The fix: add dynamicParams = false.
// app/[locale]/[category]/[slug]/page.tsx
export const dynamicParams = false;
export async function generateStaticParams() {
// ... return static params for all articles
}
This single line makes Next.js return an instant 404 for any URL not in the static params — no SSR, zero CPU consumption. Bots can hit your site thousands of times and it costs nothing.
Is the Default Spend Management Actually Safe?
Since September 2025, new Pro teams have Spend Management enabled by default. Sounds reassuring. But look at what the defaults actually do.
Default configuration:
- Spend Management: ON
- Notification threshold: $200 (on-demand usage)
- Alerts at 50%, 75%, and 100% of the threshold
The question is whether your site stops when you hit the limit.
With default settings and no manual changes:
- You get an email around $100 in overages
- You hit $200 — another notification
- Your site keeps running
- Billing keeps accumulating
- End-of-month surprise
Real-World Billing Horror Stories
Think it won't happen to you? It has happened to others.
Cara (artist platform): $96,280
In June 2024, artists fled Instagram over Meta's AI policy changes, flooding Cara. Users surged from 40,000 to 650,000 in one week. Vercel Functions charges hit approximately $96,000. The incident was widely covered (InfoQ, Hacker News) and became a cautionary tale for serverless billing.
Meta's crawler billing spike
A site using Middleware got hit with 11 million requests from Meta's crawler. Because Middleware executes on every request, Function Invocations exploded.
9,000 pageviews, $250/month
A site with just 9,000 monthly pageviews was paying $3,000/year. The cause: bot traffic combined with Middleware running on every request.
The common factors:
- Bot and AI crawler traffic
- Middleware executing on every single request
- Spend Management Pause not configured
How to Lock Down Your Vercel Billing
Configure Spend Management properly
- Vercel Dashboard → Settings → Billing
- Find the Spend Management section
- Set the On-Demand Budget to
$1 - Enable "Pause Production Deployments" — this is the critical step
- Confirm by entering your team name → Save
With Pause enabled, all production deployments automatically stop when you hit your limit. Visitors see a 503 error, but no additional charges accrue.
Recovery note: Unpausing is manual and per-project. Projects don't automatically resume even if you raise the limit.
The Webhook field can be left empty
The Spend Management settings include a Webhook URL field. This sends an HTTP POST request to the specified URL when the budget limit is reached — useful for triggering Slack notifications or automated recovery scripts.
For personal sites, leave it empty. Email notifications (configurable under Manage Notifications) are sufficient. The Webhook is designed for teams with their own monitoring infrastructure. Spend Management's Pause feature works perfectly fine without a Webhook configured.
DDoS Protection: Attack Challenge Mode
Vercel provides free DDoS mitigation on all plans, including Hobby.
- Automatic DDoS mitigation: Always-on L3/L4/L7 attack detection and mitigation (all plans, no configuration needed)
- Attack Challenge Mode: When enabled manually, shows a challenge screen to all visitors to filter out bots
If you're under attack:
- Vercel Dashboard → Settings → Security
- Toggle Attack Challenge Mode ON
- Turn it OFF once the attack subsides
Hobby vs Pro: What's Actually Different
| Hobby (Free) | Pro ($20/month) | |
|---|---|---|
| Bandwidth | 100 GB/month | 1 TB/month |
| When exceeded | Site stops (no charges) | $0.15/GB usage-based billing |
| Commercial use | Not allowed | Allowed |
| DDoS protection | Auto mitigation + Challenge Mode | Same |
| Spend Management | Not needed | Available (configure it!) |
Hobby users have zero risk of unexpected charges. When you hit 100 GB, your site stops serving traffic. No billing occurs. However, commercial use violates the terms of service.
More people upgrade to Pro than need to. If you're running a personal blog or side project, you're unlikely to exceed 100 GB/month.
How to Estimate Your Monthly Bandwidth
To decide whether you need Pro, estimate your site's bandwidth consumption.
Monthly bandwidth ≈ Monthly pageviews × Average page size
Rough estimates (static Next.js site):
1 page ≈ 500KB–2MB (including images)
10K PV/mo × 1MB = ~10 GB
100K PV/mo × 1MB = ~100 GB (Hobby limit)
500K PV/mo × 1MB = ~500 GB (within Pro)
1M PV/mo × 1MB = ~1 TB (hitting Pro limit)
Under 100K monthly pageviews? Hobby is probably fine. Over 1M? Even Pro will have overages.
When Vercel Feels Too Expensive
Even with proper Spend Management, you might find that $20/month doesn't go far enough for your use case. At scale, Vercel's per-GB pricing adds up. The alternative is self-hosting on a VPS, where $4–12/month gets you equivalent capacity with no usage-based surprises. The tradeoff is managing infrastructure yourself — Vercel's "git push to deploy" experience is hard to replicate.
FAQ
Can Vercel Pro really charge more than $20/month?
Yes. The $20 is a platform fee, not a cap. It includes a $20 monthly credit that offsets usage charges. Once the credit and included allocations (1 TB bandwidth, 10M Edge Requests) are exhausted, additional usage is billed on-demand with no automatic limit unless you enable Spend Management Pause.
What's the safest Spend Management configuration?
Set the On-Demand Budget to $1 and enable Pause Production Deployments. With a $1 budget, any overage is fully absorbed by the $20 monthly credit — zero additional charges. The Pause feature automatically stops all production deployments when the limit is reached, so charges can't accumulate while you're not looking.
Does the Hobby plan have any billing risk?
No. The Hobby plan has hard limits — when you hit 100 GB bandwidth or 4 hours of Active CPU, your site stops serving traffic. No charges are incurred. The tradeoff is that commercial use is not permitted on Hobby.
What happens when Spend Management pauses my site?
Visitors see a 503 DEPLOYMENT_PAUSED error. No additional charges accrue. Recovery is manual and per-project — projects don't automatically resume even if you raise the limit. You can unpause through the dashboard or the Vercel REST API.
Does SSR count toward Fluid Active CPU billing?
Yes. Under the Fluid Compute model, every SSR page render, API Route execution, Middleware run, and ISR revalidation consumes Active CPU time. I/O wait time (database queries, external API calls) is excluded. Setting dynamicParams = false on statically generated routes prevents bots from triggering unnecessary SSR.
Is the Webhook field required for Spend Management?
No. The Webhook sends an HTTP POST when the budget limit is reached — useful for Slack alerts or automated recovery scripts. For personal sites, email notifications are sufficient. The Pause feature works independently of the Webhook.
How do I protect against DDoS-driven billing spikes?
Vercel provides free DDoS mitigation on all plans (L3/L4/L7). For active attacks, manually enable Attack Challenge Mode in Dashboard → Settings → Security. Combined with Spend Management Pause, this prevents the "DDoS → bandwidth explosion → massive bill" scenario.
Wrapping Up
| Action | Why |
|---|---|
| Enable Spend Management Pause | Default only notifies — it won't stop charges |
| Set your limit to what you can afford | The $200 default may be too high |
| Know where Attack Challenge Mode is | So you can enable it immediately during an attack |
| Calculate whether you need Pro | Under 100K PV/month, Hobby is likely enough |
| Review your Middleware usage | Every request through Middleware = billable invocation |
Vercel is an excellent platform. But using it without understanding the billing model is a recipe for surprises. Five minutes of configuration now saves you from an uncomfortable invoice later.
For a deeper comparison of usage-based edge pricing vs fixed-cost VPS and on-premise models, see Edge Computing Cost Structure Comparison. If you're considering self-hosting on a VPS, How to Self-Host Next.js with Coolify + VPS walks through the full setup.
Related articles: