Break down token usage by billing cycle and see who's running the device agent
The billing page now answers "where did the tokens go?" in detail: pick any billing cycle and slice org-wide usage by token type, risk involvement, or analytics dimensions, then drill into any date range on the chart. Admins also get visibility into device agent adoption — the Employee Enrollment table shows whether each member's agent is checking in — and agent sessions now display the personal AI account email behind each session, not just the attributed work email.
Features
Token usage breakdown on the billing page#3973 - A billing-cycle picker scopes a new Token usage panel to any contracted cycle. The stacked chart slices org-wide tokens by type (input, output, cache read, cache write), risk involvement, or analytics dimensions, with daily, weekly, and monthly granularity and a cumulative view. Click or drag across bars to drill into a range, type a custom period in natural language, and read per-metric cycle totals with sparklines in the details table below. Finalized cycles are served from durable billing snapshots, so historical numbers stay stable. (Author: @daviddanialy)
Device agent status on Employee Enrollment#4066 - An admin-only Device Agent column shows whether each member's Speakeasy device agent is Active, Stale, or Not Enrolled, refreshes every 30 seconds, and is sortable — so it's easy to spot who is (or isn't) running the agent right next to their telemetry enrollment. (Author: @bradcypert)
AI account email on agent sessions#3943 - Session list rows, transcript user messages, and the session details popover now show the email of the personal AI account behind a session (e.g. a Gmail on a Claude Max plan) alongside the attributed employee's work email. Attribution is also deterministic: the device-enrolled work email always takes precedence over the account's self-reported email. (Author: @daviddanialy)
External credentials management API#3911 - Manage the AWS and GCP IAM credentials Gram uses to authenticate into a customer cloud account through a new organization-scoped API, with per-provider create, update, get, and delete plus a filterable list. Access is gated on org roles and every change is audited. (Author: @bflad)
Safer hook sign-in#3957 - Browser login for hooks now delivers the minted API key to the local listener as a form POST instead of a callback URL parameter, keeping the key out of browser history and request logs, and the sign-in tab closes itself once authentication completes. (Author: @danielkov)
Observe pages restricted to org admins#3922 - The Observe section (Costs, MCP & Tools Insights, Employee Enrollment, Agent Sessions, and Tool Logs) is now gated on the org admin role, so basic members see an access-restricted notice instead of org-wide telemetry. (Author: @mfbx9da4)
Issuer documentation links#4055 - Issuer discovery now captures RFC 8414 service documentation, policy, and terms-of-service URLs and surfaces them on remote session issuers across the project, organization, and admin views. (Author: @bflad)
Reorganized remote sessions management API#3955 - The org-admin remote sessions service is split into per-resource services for issuers, clients, and sessions, mirroring the project-scoped layer. Note this is a breaking change for the management API and SDK: method names drop their redundant resource suffix (e.g.
Billing charts match billed totals#4061 - The billing page's headline chart and every breakdown (model, user, division, role, source, token type) now read the billed population directly, instead of org-wide analytics aggregates that could overstate usage by orders of magnitude. (Author: @daviddanialy)
Tool Logs status filtering#3975 - The response status filter now applies at the trace level, so status-less rows no longer leak successful traces into "Non-2xx responses", and the Tool Logs page gains a first-class Error, Success, Blocked, and Pending status filter. (Author: @simplesagar)
Employee session counts from telemetry#3946 - The Agent Sessions card on the employee detail page now counts distinct sessions from telemetry instead of an email substring match against mirrored chats, so the number is consistent with every other metric on the page. (Author: @linear-code)
Deleted MCP servers keep their tool-usage classification#4040 - A managed server's usage history no longer flips to shadow MCP classification once the server is deleted or recreated. (Author: @linear-code)
Confirm before deleting a risk policy#3863 - Deleting a risk policy now asks for confirmation instead of removing it immediately. (Author: @alx-xo)