Invio is a lightweight, self-hosted invoicing tool designed for freelancers, consultants, and small businesses who want full control over their financial data without the complexity of CRMs or SaaS platforms. It eliminates account logins for clients by allowing secure public invoice links, while keeping all data under the user’s control.
Built with Deno and Fresh on the frontend and Hono + SQLite on the backend, Invio is optimized for speed and simplicity. It supports deployment via Docker or direct server installation, and includes built-in security features like JWT authentication, rate limiting, HSTS, and CSP headers to protect against brute-force attacks and XSS. Configuration is handled via environment variables, making it ideal for DevOps-friendly hosting environments.
What You Get
- Minimalist Invoice Creation - Create invoices with just client name, items, and amounts—no project tracking, CRM integration, or unnecessary fields.
- Secure Public Invoice Links - Clients can view and pay invoices via a secure, password-free public URL without needing to create an account.
- Self-Hosted by Default - Full control over data storage and infrastructure; no vendor lock-in; data resides on your server using SQLite.
- Built-in Rate Limiting - Protects login endpoints with IP, username, and IP+username tracking; configurable via RATE_LIMIT_ENABLED, RATE_LIMIT_MAX_ATTEMPTS, and RATE_LIMIT_WINDOW_SECONDS.
- Security Headers Enforcement - Automatically applies X-Content-Type-Options, X-Frame-Options, CSP, and optional HSTS headers to harden the application against common web attacks.
- JWT Authentication - Secure session management with configurable token TTL for admin access, eliminating cookie-based session vulnerabilities.
Common Use Cases
- Freelancers sending client invoices - A graphic designer uses Invio to generate clean, branded invoices and share them via link—clients view and pay without logging in.
- Small agencies managing client billing - A 5-person agency hosts Invio on a VPS to track all client payments internally, avoiding monthly SaaS fees and data privacy concerns.
- Developers needing a private billing tool - A solo developer deploys Invio on a Raspberry Pi at home to invoice clients while maintaining full data ownership and encryption.
- Teams avoiding SaaS platforms - A consulting firm replaces QuickBooks Online with Invio to eliminate third-party data access and reduce recurring costs.
Under The Hood
Architecture
- Clear separation between frontend and backend services via Docker Compose, with isolated images and volumes enforcing modularity
- Backend follows a lean REST design with minimal endpoints and anemic domain models lacking embedded business logic
- No dependency injection or formal design patterns observed; data access is direct with no abstraction layers
- Frontend and backend are decoupled through environment variables, enabling independent deployment and scaling
Tech Stack
- Hono.js with TypeScript powers the lightweight backend, handling HTTP routing with type safety
- SQLite serves as the persistent database, configured via environment variables and mounted volumes for portability
- Frontend runs on Deno with Vite for fast HMR and Fresh 2.x for server-side rendering
- SvelteKit components are styled with Tailwind CSS, leveraging browser-native capabilities for styling and theming
- Docker Compose orchestrates services using official container images, with environment-driven configuration and live reload support
Code Quality
- Limited test coverage with basic assertions and no structured test suites
- Generic error handling dominates, with no custom error classes or structured failure recovery
- Inconsistent naming conventions and lack of type safety undermine maintainability
- No linting or code formatting tools are in place, leading to unpredictable style and structure
- Logic is scattered across files without clear modular boundaries or layered architecture
What Makes It Unique
- Schema evolution is handled transparently by gracefully falling back to older database structures, enabling zero-downtime upgrades
- Frontend forms integrate server-side validation directly, eliminating the need for separate API clients or state management libraries
- Dynamic theming adapts to user and system preferences using CSS variables and localStorage, ensuring consistent appearance across components
- Internationalized formatting uses browser-native APIs for currency and numbers, avoiding external i18n dependencies
- Permission-aware UI rendering is embedded at the route level, computing visibility from granular user permissions without middleware