Website Β· Try our Demo Β· Read the Docs Β· Discord
π Securo launches on Uneed on June 16! If it's useful to you, an upvote means a lot.
We believe personal finance should actually be personal. No corporation should sit between you and your financial data. Securo is an open-source finance manager that runs on your own infrastructure, giving you full visibility into your accounts, spending, and habits, without surrendering a single byte to third parties. Take back control.
Linux & macOS (uses Docker or Podman; installs Docker if neither is present):
curl -fsSL https://usesecuro.com/install.sh | bashWindows: Install Docker Desktop, then:
git clone https://github.com/securo-finance/securo.git && cd securo
docker compose up --buildOpen http://localhost:3000 and create an account. That's it.
- Multi-account management with running balances
- Transaction management with search, filters, and CSV export
- File import (OFX, QIF, CAMT, CSV)
- Auto-categorization rules engine
- Recurring transactions and budgets
- Goals and savings targets with progress tracking
- Asset management with valuation tracking and growth rules
- Reports: Net Worth and Income vs Expenses with category sparklines
- Bank sync via providers (Pluggy for Brazilian banks, Enable Banking for ~2500 European PSD2 banks, SimpleFIN for US and international banks, extensible)
- Multi-currency support with automatic FX conversion
- Multi-user support with admin panel and registration controls
- Two-factor authentication (TOTP) with brute-force protection
- OIDC login support for Authentik, Pocket ID, and other standard providers
- AI Agents (optional): self-hosted LLM chat with tool-use over your data, plus a per-agent RAG knowledge base
Add credentials for any of the supported providers to .env, then restart with docker compose up. Configure one or both β each provider auto-registers when its credentials are present.
Sign up at pluggy.ai and add:
PLUGGY_CLIENT_ID=your-client-id
PLUGGY_CLIENT_SECRET=your-client-secret
Sign up at enablebanking.com, create a Production application, and download its PEM private key. Save the PEM to ./secrets/ (gitignored), then add:
ENABLE_BANKING_APP_ID=your-application-id
ENABLE_BANKING_PRIVATE_KEY_FILE=/app/secrets/your-key.pem
ENABLE_BANKING_OAUTH_REDIRECT_URI=https://your-host/oauth/callback
The redirect URI must match exactly one of the Allowed Redirect URLs in your EB application. Production EB requires HTTPS β for local development, expose your frontend via a tunnel (ngrok, cloudflared) or use the EB sandbox.
Free tier β restricted mode. Enable Banking's free plan requires you to pre-link the accounts you want to import inside the EB portal before connecting from Securo. If you skip that step, the connection returns no accounts and Securo will surface a banner with a link to the portal.
SimpleFIN is a read-only open protocol. No API key needed β each connection brings its own credentials via a single-use Setup Token from the SimpleFIN Bridge. Just enable the feature:
SIMPLEFIN_ENABLED=true
SIMPLEFIN_API_URL=https://beta-bridge.simplefin.org # sandbox; use bridge.simplefin.org for real banks
Then in Securo: Accounts β Connect Bank β SimpleFIN, and paste the token. The developer page gives out free demo tokens if you want to try it without a real bank.
Securo can delegate login to any standard OIDC provider, including Authentik and Pocket ID. Create a confidential/web application in your provider and register this redirect URI:
https://your-securo-host/api/auth/oidc/callback
Then add the provider settings to .env and restart:
OIDC_ENABLED=true
OIDC_PROVIDER_NAME=Pocket ID
OIDC_DISCOVERY_URL=https://id.example.com/.well-known/openid-configuration
OIDC_CLIENT_ID=securo
OIDC_CLIENT_SECRET=your-client-secret
# Optional; defaults to ${FRONTEND_URL}/api/auth/oidc/callback
OIDC_REDIRECT_URI=https://your-securo-host/api/auth/oidc/callback
New OIDC users are auto-provisioned by default (OIDC_AUTO_REGISTER=true) using verified email addresses. Set OIDC_AUTO_REGISTER=false to allow only existing Securo users whose email matches the provider claim.
Securo can also synchronize provider roles/groups into its built-in permissions when OIDC_SYNC_ROLES=true. The default claim is groups, which works well with Authentik group mappings and Pocket ID role/group assignments.
OIDC_SYNC_ROLES=true
OIDC_ROLES_CLAIM=groups
OIDC_ADMIN_ROLES=securo-admins
OIDC_WORKSPACE_ROLE_MAP={"securo-owners":"owner","securo-editors":"editor","securo-viewers":"viewer"}
OIDC_ADMIN_ROLES grants or revokes Securo admin (is_superuser) on each OIDC login. OIDC_WORKSPACE_ROLE_MAP maps provider roles/groups to the user's Personal workspace role (owner, editor, or viewer); if multiple mapped roles are present, Securo applies the highest permission. Leave OIDC_SYNC_ROLES=false to keep all Securo roles managed locally.
For automatic currency conversion, add a free Open Exchange Rates key to .env:
OPENEXCHANGERATES_APP_ID=your-app-id
Rates are fetched on-demand when foreign-currency transactions are created. Without a key, cross-currency amounts default to a 1:1 fallback rate with a visual warning.
Self-hosted AI assistants over your Securo data β multi-provider (OpenAI, Anthropic, Ollama, OpenAI-compatible), tool-use via MCP, per-agent RAG knowledge base, βJ global chat panel.
Add to .env:
AGENTS_ENABLED=true
COMPOSE_PROFILES=agents
Then docker compose up -d. Settings β AI Agents to add a provider connection. Off by default; zero cost when off.
| Layer | Stack |
|---|---|
| Backend | FastAPI, SQLAlchemy, Alembic, Celery |
| Frontend | React, TypeScript, Vite, Tailwind CSS |
| Database | PostgreSQL |
| Queue | Redis + Celery |
Parts of this codebase were built with help of AI. All code is human-reviewed and no data leaves your environment.
# Run backend tests (from backend/, needs Python 3.11+; same as CI)
cd backend
pip install -e ".[dev]" # first time only β installs pytest and dev deps
pytest
# Rebuild after dependency changes
docker compose up --buildSee CONTRIBUTING.md for guidelines.
This project is licensed under the GNU Affero General Public License v3.0.
This means you can freely use, modify, and distribute this software, but any modifications β including when used as a network service (SaaS) β must also be released under the AGPL-3.0.