DEV.co
Open-Source DevOps · kimai

kimai

Kimai is a professional open-source time-tracking application supporting multi-user teams, invoicing, and reporting. It offers both self-hosted and SaaS deployment options with features like SAML/LDAP authentication, role-based permissions, and a plugin marketplace.

Source: GitHub — github.com/kimai/kimai
4.8k
GitHub stars
802
Forks
PHP
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykimai/kimai
Ownerkimai
Primary languagePHP
LicenseAGPL-3.0 — OSI-approved
Stars4.8k
Forks802
Open issues335
Latest release2.61.0 (2026-06-20)
Last updated2026-07-06
Sourcehttps://github.com/kimai/kimai

What kimai is

PHP 8.2+ Symfony-based web application using Doctrine ORM and MySQL/MariaDB backend. Provides REST JSON API, multi-timezone support, and deployable via Docker, traditional hosting, or managed cloud. Licensed under AGPL-3.0.

Quickstart

Get the kimai source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kimai/kimai.gitcd kimai# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Freelance and small team time tracking

Lightweight self-hosted deployment for solo consultants or 2–10 person agencies needing invoice generation, project-based billing, and basic reporting without SaaS fees.

Mid-market enterprise time & attendance

Multi-tenant on-premise installation for companies with 50–500 users, supporting role-based access, team budgets, SAML/LDAP integration, and custom invoicing rules.

Compliance-sensitive organizations

Full data ownership via on-premise deployment; audit trails and role permissions support regulated industries requiring local control and transparency.

Implementation considerations

  • PHP 8.2+ with MariaDB ≥10.6 or MySQL ≥8.4 mandatory; verify hosting environment meets extension requirements (gd, intl, mbstring, pdo, tokenizer, xml, xsl, zip).
  • AGPL-3.0 requires any modifications or derivative works deployed to be open-sourced; assess whether internal customizations will trigger disclosure obligations.
  • Docker deployments available but subdirectory installations unsupported—require dedicated subdomain, increasing DNS and SSL management overhead.
  • ~2 weeks between releases per README; monitor update cadence for security patches and compatibility with PHP 8.4/8.5 lifecycle.
  • 335 open issues as of data snapshot; prioritize review of blocker issues and plugin marketplace compatibility with target version.

When to avoid it — and what to weigh

  • Proprietary SaaS-only requirement — If your compliance or licensing framework requires only proprietary software with vendor SLAs, Kimai's AGPL requirement and self-hosting model may conflict.
  • Zero operational overhead needed — Requires PHP, MySQL/MariaDB, and web server setup; no plug-and-play managed offering without running your own infrastructure or paying for the official SaaS.
  • Legacy .NET or Java tech stack — Built entirely on PHP/Symfony; integration with isolated .NET/Java systems is possible via REST API but adds complexity compared to native platform solutions.
  • Real-time GPS or field workforce tracking — Designed for office/project time tracking, not mobile-first field crew location logging or geofencing. Limited native mobile app support.

License & commercial use

AGPL-3.0 (GNU Affero General Public License v3.0). Network use triggers copyleft obligations—any deployed modifications must be source-available to users. Requires review if internal customization is planned.

AGPL-3.0 permits commercial use and hosting, but any network-deployed derivative must provide source code to users. A commercial support and SaaS offering (kimai.cloud) is operated by the project; clarify whether your use model requires that, or if self-hosting + AGPL compliance suffices. Consult legal counsel if shipping private modifications.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

AGPL-3.0 code transparency supports security review. Project includes CI/CD and code coverage reporting. Supports TOTP 2FA, SAML/LDAP, and role-based permissions. No explicit vulnerability disclosure policy or security audit results in data. MariaDB/MySQL dependency requires standard database hardening. Self-hosting model places security patching responsibility on operator. No warranty or SLA for OSS version.

Alternatives to consider

Toggl Track

Commercial SaaS time tracker with strong mobile app and integrations; suitable if no open-source/self-hosting requirement and managed operations preferred.

Harvest

Enterprise time + invoicing SaaS with white-label options; better fit if compliance mandates proprietary vendor contracts and zero operational overhead.

OpenTimesheet (OSS alternative)

Lighter PHP/Laravel-based open-source timesheet tool; consider if simpler feature set, smaller team, and AGPL avoidance are priorities.

Software development agency

Build on kimai with DEV.co software developers

Our team can help assess AGPL licensing implications, design a secure self-hosted deployment, and integrate Kimai with your existing systems. Start a technical review today.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

kimai FAQ

Can we deploy Kimai in a subdirectory under our domain?
No. README states subdirectory is not supported; you must use a dedicated subdomain (e.g., time.company.com).
What does AGPL-3.0 mean for our commercial time-tracking service?
AGPL-3.0 allows commercial use, but any network-deployed modifications must be source-available to users. If you resell Kimai as-is with no changes, no obligation; if you customize it, you must offer source access. Consult legal review for your specific model.
Is there a hosted SaaS option to avoid self-hosting?
Yes, kimai.cloud is the official SaaS offering. The OSS version requires self-hosting on your infrastructure (Docker, traditional server, etc.).
Does Kimai support mobile apps?
README does not detail native mobile app support; primary interface is web-based. Mobile browser responsiveness is mentioned; verify native app needs via documentation.

Custom software development services

Need help beyond evaluating kimai? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to evaluate Kimai for your team?

Our team can help assess AGPL licensing implications, design a secure self-hosted deployment, and integrate Kimai with your existing systems. Start a technical review today.