Wealthfolio

Wealthfolio

Official

Docker app from Wealthfolio's Repository

Overview

Wealthfolio is a beautiful, open-source, local-first personal finance and investment tracker that keeps all of your data in your own SQLite database with no cloud dependency.

Media gallery

1 / 6

Install Wealthfolio on Unraid in a few clicks.

Find Wealthfolio in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for Wealthfolio Review the template variables and paths Click Install

Categories

Download Statistics

29,978
Total Downloads

Related apps

Explore more like this

Explore all

Details

Repository
wealthfolio/wealthfolio:latest
Last Updated2026-06-26
First Seen2026-05-16

Runtime arguments

Web UI
http://[IP]:[PORT:8088]/
Network
bridge
Shell
sh
Privileged
false
Extra Params
--user=99:100 --health-cmd="wget --quiet --tries=1 --spider http://127.0.0.1:8088/api/v1/healthz || exit 1" --health-interval=30s --health-timeout=10s --health-retries=3 --health-start-period=15s

Template configuration

WebUI PortPorttcp

Host port to expose. Change if 8088 clashes with another container.

Target
8088
Default
8088
Value
8088
AppdataPathrw

Holds the SQLite database (wealthfolio.db) and the encrypted secrets file. BACK THIS UP.

Target
/data
Default
/mnt/user/appdata/wealthfolio
Value
/mnt/user/appdata/wealthfolio
WF_SECRET_KEYVariable

REQUIRED. 32-byte key used to encrypt secrets at rest and sign session tokens. Generate ONCE with: openssl rand -base64 32 -- then save it somewhere safe. Losing it means losing all stored API keys and broker credentials.

WF_AUTH_PASSWORD_HASHVariable

Required for password login unless using OIDC SSO or WF_AUTH_REQUIRED=false. Argon2id PHC hash of your login password. Generate with: printf '%s' 'your-password' | argon2 yoursalt16chars -id -e -- then paste the full argon2id PHC string here.

WF_CORS_ALLOW_ORIGINSVariable

REQUIRED when auth is enabled. Comma-separated list of origins allowed to call the API. Must EXACTLY match the URL in your browser address bar (scheme, host, and port). Example: http://192.168.1.10:8088 or https://wealthfolio.example.com

WF_AUTH_REQUIREDVariable

Set to false only if a reverse proxy handles authentication and you are not using Wealthfolio login or SSO. Reverse-proxy-only auth does not satisfy MCP: WF_MCP_ENABLED=true still requires WF_AUTH_PASSWORD_HASH or OIDC.

Default
true
Value
true
WF_AUTH_TOKEN_TTL_MINUTESVariable

Session access token lifetime in minutes.

Default
60
Value
60
WF_OIDC_ISSUER_URLVariable

Optional SSO. OIDC issuer URL, for example https://auth.example.com/application/o/wealthfolio/. OIDC is enabled when this and WF_OIDC_CLIENT_ID are both set.

WF_OIDC_CLIENT_IDVariable

Optional SSO. Client ID registered with your OIDC provider. Required when WF_OIDC_ISSUER_URL is set.

WF_OIDC_CLIENT_SECRETVariable

Optional SSO. Client secret if your OIDC provider requires one. PKCE is always used, so many providers can leave this blank.

WF_OIDC_REDIRECT_URLVariable

Required when OIDC is enabled. Must be registered in your identity provider. Example: https://wealthfolio.example.com/api/v1/auth/oidc/callback

WF_OIDC_SCOPESVariable

Optional SSO. Space-separated scopes. Leave blank for the default: openid email profile.

WF_OIDC_ALLOWED_EMAILSVariable

Optional SSO allowlist. Comma-separated verified email addresses allowed to sign in. OIDC requires this and/or WF_OIDC_ALLOWED_SUBS unless WF_OIDC_ALLOW_ANY=true.

WF_OIDC_ALLOWED_SUBSVariable

Optional SSO allowlist. Comma-separated OIDC subject IDs allowed to sign in. Preferred over email allowlists when available.

WF_OIDC_ALLOW_ANYVariable

Optional SSO. Set true only to allow any user authenticated by your identity provider. Only safe on a dedicated single-user identity provider.

WF_OIDC_POST_LOGOUT_REDIRECT_URLVariable

Optional SSO logout. URL where the identity provider returns the browser after logout. Must be registered with the provider if set.

WF_OIDC_RP_LOGOUTVariable

Optional SSO logout. Set false to force local-only logout even when the identity provider supports RP-initiated logout. Default is true.

Default
true
Value
true
WF_MCP_ENABLEDVariable

Enable AI Agent Access (MCP) at /mcp. Requires Wealthfolio auth via WF_AUTH_PASSWORD_HASH or OIDC. The container refuses to start with MCP enabled if WF_AUTH_REQUIRED=false and no app auth is configured.

Default
false
Value
false
WF_MCP_AUDIT_ENABLEDVariable

When MCP is enabled, write agent tool calls to the audit log. Set false to disable new audit entries.

Default
true
Value
true
WF_REQUEST_TIMEOUT_MSVariable

HTTP request timeout in milliseconds. Default is 5 minutes -- generous to accommodate large broker syncs.

Default
300000
Value
300000
WF_LISTEN_ADDRVariable

Bind address inside the container. Leave at 0.0.0.0:8088 unless you know what you are doing.

Default
0.0.0.0:8088
Value
0.0.0.0:8088
WF_DB_PATHVariable

SQLite database path inside the container. Must live under /data so it persists.

Default
/data/wealthfolio.db
Value
/data/wealthfolio.db
WF_LOG_FORMATVariable

Log format: text (human-readable) or json (structured).

Default
text
Value
text