* feat(mcp): add OAuth well-known discovery endpoints (RFC 8414 + RFC 9728) Serves /.well-known/oauth-protected-resource (RFC 9728) and /.well-known/oauth-authorization-server (RFC 8414) so MCP clients can auto-discover the authorization server. Both endpoints are unauthenticated and respect APP_URL for reverse-proxy deployments. * feat(mcp): add dynamic client registration endpoint (RFC 7591) POST /register creates a public Doorkeeper::Application on demand so MCP clients (e.g. Claude.ai) can self-register without manual setup. Validates redirect_uris (including blank entries), falls back to "MCP Client" name, returns no client_secret (public client, PKCE only). Rate-limited to 10 registrations/min/IP via Rack::Attack. * feat(mcp): authenticate via Doorkeeper OAuth2, keep MCP_API_TOKEN as fallback MCP endpoint now accepts OAuth2 Bearer tokens issued by Doorkeeper. Falls back to the existing MCP_API_TOKEN env-var flow so self-hosted deployments are not broken. Requires MCP_OAUTH_ENABLED or MCP_API_TOKEN to be set — the endpoint returns 503 otherwise. - OauthBase concern provides APP_URL-aware configured_base_url (trailing slash stripped to prevent double-slash URLs) - Bearer scheme parsed case-insensitively (RFC 7235) - Only read_write scope accepted — read scope would allow mutating tools (CreateGoal, ImportBankStatement), so read-only tokens are rejected - Deactivated users rejected even with a valid Doorkeeper token - WWW-Authenticate header on 401 points to RFC 9728 resource metadata - SHA-256 digest used for constant-time env-var comparison - Rack::Attack throttle added for POST /register - Routes wired: /.well-known/*, /register, use_doorkeeper * fix(mcp): disable Turbo on OAuth consent form for external redirect URIs Turbo was intercepting the authorization form POST and XHR-fetching the redirect_uri (e.g. https://claude.ai/api/mcp/auth_callback), which CORS blocks. Extend the existing turbo_disabled guard to cover any redirect_uri that doesn't originate from the app itself. * feat(mcp): add Settings::McpController with connected clients view - Settings > MCP page (under Advanced) shows the MCP server URL with copy button and step-by-step instructions for connecting Claude.ai - Lists active non-mobile OAuth tokens with app name and revoke action; mobile device tokens are excluded to prevent accidental disconnection - Removes the MCP_OAUTH_ENABLED env-var gate — OAuth auth is always available since Doorkeeper handles consent; MCP_API_TOKEN remains as a self-hosted fallback * fix(mcp): remove client_credentials from grant_types_supported metadata Only authorization_code is supported by the registration endpoint. Advertising client_credentials was misleading — a client that reads the metadata and attempts that flow would get an application with the wrong grant type.
Deutsch | Español | Français | 日本語 | 한국어 | Português | Русский | 中文
Sure: The personal finance app for everyone
Get involved: Discord • Website • Issues
Important
This repository is a community fork of the now-abandoned Maybe Finance project.
Learn more in their final release doc.
Backstory
The Maybe Finance (archived/abandoned repo) team spent most of 2021–2022 building a full-featured personal finance and wealth management app. It even included an “Ask an Advisor” feature that connected users with a real CFP/CFA — all included with your subscription.
The business end of things didn't work out, and so they stopped developing the app in mid-2023.
After spending nearly $1 million on development (employees, contractors, data providers, infra, etc.), the team open-sourced the app. Their goal was to let users self-host it for free — and eventually launch a hosted version for a small fee.
They actually did launch that hosted version … briefly.
That also didn’t work out — at least not as a sustainable B2C business — so now here we are: hosting a community-maintained fork to keep the codebase alive and see where this can go next.
Join us!
Hosting Sure
Sure is a fully working personal finance app that can be self hosted with Docker.
Forking and Attribution
This repo is a community fork of the archived Maybe Finance repo. You’re free to fork it under the AGPLv3 license — but we’d love it if you stuck around and contributed here instead.
To stay compliant and avoid trademark issues:
- Be sure to include the original AGPLv3 license and clearly state in your README that your fork is based on Maybe Finance but is not affiliated with or endorsed by Maybe Finance Inc.
- "Maybe" is a trademark of Maybe Finance Inc. and therefore, use of it is NOT allowed in forked repositories (or the logo)
Performance Issues
With data-heavy apps, inevitably, there are performance issues. We've set up a public dashboard showing the problematic requests seen on the demo site, along with the stacktraces to help debug them.
https://www.skylight.io/app/applications/s6PEZSKwcklL/recent/6h/endpoints
Any contributions that help improve performance are very much welcome.
Local Development Setup
If you are trying to self-host the app, read this guide to get started.
The instructions below are for developers to get started with contributing to the app.
Requirements
- See
.ruby-versionfile for required Ruby version - PostgreSQL >9.3 (latest stable version recommended)
- Redis > 5.4 (latest stable version recommended)
Getting Started
cd sure
cp .env.local.example .env.local
bin/setup
bin/dev
# Optionally, load demo data
rake demo_data:default
Visit http://localhost:3000 to view the app.
If you loaded the optional demo data, log in with these credentials:
- Email:
user@example.com - Password:
Password1!
For further instructions, see guides below.
Setup Guides
- Mac dev setup
- Linux dev setup
- Windows dev setup
- Dev containers - visit this guide
One-click Install
Managed OpenClaw for Sure Finances
License and Trademarks
Maybe and Sure are both distributed under an AGPLv3 license.
- "Maybe" is a trademark of Maybe Finance, Inc.
- "Sure" is not, and refers to this community fork.
