Skip to main content

Requirements

  1. Install Docker on your machine;
  2. Make sure Docker Compose is installed and available (it should be the case if you have chosen to install Docker via Docker Desktop); and
  3. Make sure Git is installed on your machine.

Run the Lago App

Run the app with a one-click Docker command

You can start using the app by using a one-click Docker command in a shell:
You can now open your browser and go to http://localhost to connect to the application. Just after signing up, Lago’s API is exposed at http://localhost:3000.

Run the app with advanced Docker commands

If you don’t want to use the one-click Docker command, you can start using Lago by running more advanced commands in a shell:
You can now open your browser and go to http://localhost to connect to the application. Just after signing up, Lago’s API is exposed at http://localhost:3000.

Signing up

It’s mandatory to create your organization by signing up to Lago. This organization is the core object of your biller as it’s used to invoice your customers.
  1. Write down your organization name;
  2. Use the main billing email of your company; and
  3. Define the admin password for this email.
You will be able to invite other email addresses within the application. If you already have an account, you can also log in. Once you are able to access the app, you can retrieve your API key.

Find your API Key

Your API Key can be found directly in the UI:
  1. Access the Developer section from the sidebar;
  2. The first tab of this section is related to your API keys; and
  3. Click the Copy button to copy it to clipboard.

Configuration

Version

Docker images are always updated to the last stable version in the docker-compose.yml file. You can use a different tag if needed by checking the releases list.
We recommend avoiding the usage of latest tag, you should use the last tagged version, you can track the latest versions on Dockerhub

Environment variables

Lago uses the following environment variables to configure the components of the application. You can override them to customise your setup.
We recommend that you change POSTGRES_PASSWORD, SECRET_KEY_BASE, LAGO_RSA_PRIVATE_KEY, LAGO_ENCRYPTION_PRIMARY_KEY, LAGO_ENCRYPTION_DETERMINISTIC_KEY and LAGO_ENCRYPTION_KEY_DERIVATION_SALT to improve the security of your Lago instance:
  • SECRET_KEY_BASE can be generated using the openssl rand -hex 64 command.
  • LAGO_RSA_PRIVATE_KEY can be generated using the openssl genrsa 2048 | base64 command.
  • LAGO_ENCRYPTION_PRIMARY_KEY, LAGO_ENCRYPTION_DETERMINISTIC_KEY and LAGO_ENCRYPTION_KEY_DERIVATION_SALT can all be generated using the cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 command.

Components

Lago uses the following containers: You can also use your own Postgres or Redis server. To do so, remove the db and redis configurations from the docker-compose.yml file and update the environment variables accordingly.

Configuring the database

Connection

DATABASE_URL
Lago connects to PostgreSQL through a standard Rails DATABASE_URL environment variable:
The available variables are listed in the sections below.
When using the Docker Compose
When using the Docker Compose, the POSTGRES_* variables are used to build the DATABASE_URL for the Lago applications as follows:
Therefore, you do not need to set DATABASE_URL explicitly in this setup. Although it is possible to use the Docker Compose with an external Postgres instance, the bundled docker-compose.yml also ships a db service which is configured using the POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD and POSTGRES_PORT variables. When using the bundled db service, we suggest to change the default POSTGRES_PASSWORD value.
Note that it is still possible to override DATABASE_URL when using the Docker Compose. The caveat is that the bundled db service will be configured using the POSTGRES_* variables, possibly causing conflicts. So we recommend using the POSTGRES_* over DATABASE_URL when using the bundled db service.

Schema

By default, Lago uses the public schema in Postgres. Lago allows you to isolate Lago’s tables in a dedicated schema if you share your database with other applications. You can change that by setting the POSTGRES_SCHEMA environment variable:
It is also possible to set the schema in the DATABASE_URL directly using the search_path variable:
Unlike the other POSTGRES_* variables, POSTGRES_SCHEMA applies in all setups.

Connection pool

Total connections to Postgres ≈ DATABASE_POOL × (api/worker/etc.). Keep this comfortably below your Postgres max_connections.

Statement-level safeguards

These three opt-in variables are applied to every Lago Rails connection (API, workers, clock, Rake tasks). They are unset by default, which means Postgres queries runs with no timeout unless explicitly set. Setting a variable to 0 explicitly disables that specific cap (same as leaving it unset). You can also set these timeouts via DATABASE_URL:
These timeouts apply to every process that boots the Rails app, including Sidekiq workers, the clock container, and Rake tasks such as migrations. Long-running background jobs and schema migrations can be killed if you set aggressive limits globally. Apply tight caps to the web tier and set them higher on workers, clock and migration entrypoints.
We recommend to set the timeouts lower than your HTTP-layer timeout so Postgres cancels the query before the client gives up.

Enabling SSL

If your PostgreSQL server requires SSL connections (e.g., using a PEM certificate for verify-full mode), you can configure the connection using either libpq environment variables or the DATABASE_URL parameters.
Using libpq environment variables
Set any of the libpq SSL environment variables:
For an exhaustive list of environment variables, refer to the libpq environment variables documentation.
Using DATABASE_URL
Alternatively, you can append any of the libpq SSL parameters directly to the DATABASE_URL:
For an exhaustive list of SSL parameters, refer to the libpq documentation.

Best practices

  • Bring your own Postgres in production. The bundled db service in docker-compose.yml is intended for local trials. For production, run a managed or dedicated Postgres instance and point Lago at it via DATABASE_URL.
  • Use DATABASE_URL as the single source of truth outside of docker-compose. It is the only variable Lago reads in production; POSTGRES_* only apply when the bundled db service is in use.
  • Size the pool to your concurrency. A good rule of thumb is DATABASE_POOL ≥ Puma threads per process and ≥ Sidekiq concurrency per worker. Total connections must stay under Postgres max_connections.
  • Disable prepared statements only when needed. Prepared statements are tied to a single Postgres connection. Transaction-mode poolers (e.g. PgBouncer) reuse backend connections between transactions, so a statement prepared on one may not exist on the next. Set DATABASE_PREPARED_STATEMENTS=false if your pooler doesn’t preserve them across reuses.
  • Apply timeouts at the web tier first. Roll out LAGO_DATABASE_STATEMENT_TIMEOUT on the API only, monitor cancellations for 24–48 h, then extend to other tiers with more generous values if needed.
  • Encrypt connections. Configure SSL with verify-full against a known CA. See Enabling SSL above.
  • Keep Postgres healthy. Once Lago is connected, follow the Database maintenance guide for autovacuum, autoanalyze and slow-query monitoring.

Configuring Redis

Lago uses Redis for two independent purposes:
  • Job queue - Sidekiq stores background-job state in Redis. The API enqueues jobs that workers and the clock process pick up.
  • Application cache - Lago uses Redis as a cache-store for compute-heavy values (current usage, etc.).
You can run a single Redis instance for both (the bundled Docker Compose does this) but for a production-ready environment, it is recommended to separate them. Each role has its own set of environment variables so they can be configured independently.

Sidekiq Redis (job queue)

REDIS_URL
Lago’s Sidekiq workers connect to Redis through the REDIS_URL environment variable:
When using the Docker Compose, the bundled docker-compose.yml ships a redis service. REDIS_URL=redis://redis:6379 already points at it, so you do not need to override the variable in this setup.

Cache Redis (application cache)

LAGO_REDIS_CACHE_URL
Lago’s API and workers reach the Rails cache through LAGO_REDIS_CACHE_URL:
When using the Docker Compose, the bundled redis service is reused for the cache in the default Docker Compose setup. LAGO_REDIS_CACHE_URL=redis://redis:6379 is pre-configured.

Authentication

It is possible to configure Redis with password-only or ACL-based authentication. In such case, you can configure Lago to authenticate with Redis.
Sidekiq Redis (job queue)
If you use password-only authentication, you can set REDIS_PASSWORD or include the password in REDIS_URL:
When using ACL-based authentication, you must include the username and password in REDIS_URL:
Cache Redis (application cache)
If you use password-only authentication, you can set LAGO_REDIS_CACHE_PASSWORD or include the password in LAGO_REDIS_CACHE_URL:
When using ACL-based authentication, you must include the username and password in LAGO_REDIS_CACHE_URL:

Enabling SSL on Redis

If your Redis server requires SSL connections, you can enable it by using the rediss:// scheme in your Redis URLs:

Managed Redis services

We recommened using Lago with managed Redis providers, such as Amazon ElastiCache. These services handle replication, automatic failover, backups, and monitoring on your behalf, providing a highly available Redis setup with minimal operational overhead. Point Lago at the provider’s primary endpoint via the standard URL variable. Failover is transparent: when the provider promotes a replica, the endpoint stays the same, and the next reconnect lands on the new master.

High availability with Redis Sentinel

When using a dedicated Redis setup that you manage yourself, you can achieve high availability with Redis Sentinel. Sentinel is Redis’s built-in monitoring and failover mechanism: a small cluster of Sentinel processes watches the Redis nodes, agrees by quorum when the master is unreachable, and promotes one of the existing replicas. Lago connects to the Sentinels instead of directly to a Redis node, and automatically reconnects to the new master if a failover occurs - no restart or operator action required. You can enable Sentinel for the Sidekiq queue, the cache, or both. Each consumer reads its own variables, so mixing modes is supported (for example, Sidekiq through Sentinel and the cache through a static URL). If you’d like to use Redis Sentinel, we recommend that you properly read through its documentation and define monitoring and alerting on Sentinel events. Furthermore we suggest to the test failover (e.g., by simulating consecutive master failures) thoroughly and regularly during low-traffic/maintenance periods or on a staging environment to make sure your setup works as expected.
Redis also provides high availability through Redis Cluster, but Sidekiq doesn’t support it. Sentinel is the only recommended HA solution for self-hosted Lago deployments using dedicated Redis.
Sidekiq Sentinel configuration
REDIS_PASSWORD continues to authenticate against the underlying Redis nodes when Sentinel is enabled. You do not need to set REDIS_URL when Sentinel mode is enabled. Lago discovers the current Redis master dynamically from LAGO_REDIS_SIDEKIQ_SENTINELS. If REDIS_URL is also set, Lago only reuses its connection options, such as the scheme (redis:// or rediss://), password, and database number. The host and port from REDIS_URL are ignored because Sentinel provides the active master address.
Cache Sentinel configuration
REDIS_PASSWORD continues to authenticate against the underlying Redis nodes when Sentinel is enabled. You do not need to set LAGO_REDIS_CACHE_URL when Sentinel mode is enabled. Lago discovers the current Redis master dynamically from LAGO_REDIS_CACHE_SENTINELS. If LAGO_REDIS_CACHE_URL is also set, Lago only reuses its connection options, such as the scheme (redis:// or rediss://), password, and database number. The host and port from LAGO_REDIS_CACHE_URL are ignored because Sentinel provides the active master address.

Best practices

  • Bring your own Redis in production. The bundled redis service in docker-compose.yml is intended for local trials. For production, run a managed or dedicated Redis (or multiple Redis instance fronted by Sentinel) and point Lago at it.
  • Use separate Redis instances for the cache and the queue in production. This prevents a surge in one workload (e.g., heavy Sidekiq activity) from impacting the other (e.g., API cache performance). It also allows you to properly configure each Redis instance according to its needs (memory, eviction policy, etc.).
  • Use managed instances or Redis Sentinel for HA. A single Redis master is a single point of failure. For production loads with availability requirements, use Sentinel or a managed Redis service that provides equivalent automatic failover.
  • Encrypt connections. Use the rediss:// scheme in REDIS_URL / LAGO_REDIS_CACHE_URL to enable TLS to your Redis nodes.

Enabling SSL on the Frontend

Lago Front application can be configured to support SSL certificates. You have two options to achieve this:
  • by using a self-signed certificate
  • by using a signed certificate generated by Let’s Encrypt

Self Signed Certificate

  • Run the script to generate the certificates
  • Take a look at the docker-compose.yml file and uncomment the part related to the Self-Signed certificate
  • You can now start the front application with a self signed SSL certificate support

Let’s Encrypt Certificate

  • Edit the file extra/init-letsencrypt.sh
    • You must replace lago.example with your domain name
    • You must enter a valid email address
  • Edit the file extra/nginx-letsencrypt.conf
    • You must replace lago.example with your domain name
  • Uncomment the Cerbot lines in the docker-compose.yml file
  • Run the following script
  • Take a look at the docker-compose.yml file and uncomment all the parts related to the Let’s Encrypt’s support
  • You can now start the front application with the signed certificate support

Storage

By default, Lago uses the internal storage of the container. You can customize it by defining different environment variables. We currently support :
  • AWS S3
  • AWS S3 Compatibles Endpoints
  • Google Cloud Service Cloud Storage
If you use S3 compatibles endpoints, you should set the LAGO_AWS_S3_REGION to a default value (e.g., us-east-1), it is required to work properly!

AWS S3

You have to set these variables to use AWS S3.

AWS S3 Compatible Endpoints

You have to set these variables to use AWS S3 Compatible Endpoints.

Google Cloud Service Cloud Storage

You have to set those variables to use GCS Cloud Storage. In the docker-compose.yml file, you must uncomment the lines and pass the correct GCS credentials json file.

SMTP Configuration

In order to use the email feature, you need to configure some environment variables.
In addition to this configuration, defining an organization email in Settings > Organization is mandatory; without it, emails will not be sent.

Single Sign On using Google authentication

In order to enable Google authentication for single sign on, you have to set those variables.