Which front-end for Apache Fineract? web-app, community-app, and the two new UIs

Fineract ships without a user interface. That is on purpose, and the docs say so plainly: it is a backend, an API, and the screen your staff click on is left to you. Which is fine right up until the moment the API is running and someone asks where they actually log in to approve a loan. Then you go looking, and what you find is not one obvious answer but a small graveyard of projects: one archived, one labelled deprecated, one that looks current, and two more billed as the future that turn out to be two different things. So let us make it simple.

We run managed Fineract with a working back-office UI on top of it, so we have made this call and live with it. Here is the honest state of the Fineract front-end in 2026: which one to run today, what is actually coming, and how to connect it without losing an afternoon to a certificate.

The short answer

Run the Angular web-app (openMF/web-app). It is the current, maintained operator console, it is on a modern Angular version, it is under active development, and it covers the day-to-day: clients, loans, savings, products, accounting, users, reports. If you just want a screen for your staff, that is the one. Everything else below is context for why the landscape looks more crowded than it is.

The landscape, sorted

There are really three operator web UIs in the conversation, and they are at very different stages.

community-app is the old one, and it is over. It is an AngularJS application, the original Mifos X community front end, and its own repository now says, in as many words, that it is deprecated and replaced by the web-app. The repository has been archived, meaning read-only, and its last real release was years ago. It also drifted behind the API as Fineract changed, so you would hit screens that quietly stopped matching the backend. Do not start here. If you inherited a deployment running it, the migration target is the web-app.
web-app is the current one, the Angular rebuild, and the one to run. This is the project the community points newcomers to and the one we run in production. It tracks a recent Angular major version and ships releases pinned to specific Fineract versions, so you can match your UI to your backend instead of guessing.
And then there is the future, which is where it gets interesting, because there are two of them.

The part everyone gets wrong: there are two "new" UIs, not one

If you read around, you will see "Fineract is moving to React" stated as fact. It is not quite true, and the confusion is worth untangling because it changes what you should watch.

There are two separate rewrites happening, by two different groups, in two different frameworks, for two different reasons.

The first is on the Mifos side. The same community that maintains the web-app is building a React version of it, in a separate repository, with a modern stack. It is real and it is progressing, but as of now it carries no release at all, its own readme says it is not recommended for deployment, and it is best understood as work in progress. So when someone says "the React app," this is usually what they mean, and the honest status is: not yet.

The second is on the Apache side, and this is the one almost nobody outside the project knows about. Apache Fineract is building its own back-office UI, from scratch, and it chose Angular, not React. The reason is licensing, not taste. The web-app you run today is a Mifos project under a copyleft license, which means Apache cannot bundle it into the official Fineract distribution. So the project is writing a fresh, Apache-licensed Angular interface, generated against the API, that can ship as static assets inside the official Docker image. It is early, scaffolding more than product, but the intent is clear: a UI that comes in the box.

So the future is not "Fineract goes React." It is two parallel tracks: Mifos modernising its web-app toward React, and Apache building its own Angular UI it is allowed to ship. Both are early. Neither is something to deploy in 2026. The one you run is still the Angular web-app, and that will be true for a while.

A status map of the Apache Fineract operator front-ends. At the top, Apache Fineract ships no UI, so you pick the front-end. Yesterday's option is community-app, AngularJS, deprecated and archived, do not use. Today's option is web-app, Angular 20, current, run this today; community-app was replaced by it. From the web-app, two separate future efforts branch off: mifos-x-web-app-react, Mifos's React rewrite, work in progress and not for production; and Fineract's own back-office UI, an Apache-licensed Angular app that ships in the Docker image, still early. A note clarifies: two separate rewrites, not one. Mifos is going React, Apache is building its own Angular UI. Both are early; neither is ready to deploy. — The operator UI landscape in 2026: community-app is gone, the Angular web-app is the one to run, and the two "new" UIs are separate efforts in different frameworks.

Connecting the web-app to your backend

This is where the real time gets lost, so here is the shape of it. The web-app is a static single-page application; it runs in the browser and talks to your Fineract instance entirely over the REST API. You point it at the backend with three things:

The API URL, your Fineract server, which defaults to https://localhost:8443 and you set to wherever your instance actually lives.
The path, which is always /fineract-provider/api/v1. Fineract serves its API under that prefix; the web-app expects it.
The tenant, the tenantIdentifier, which has to match a tenant that exists in your Fineract instance. Out of the box that is default. Get this wrong and nothing loads, because every call needs to know which institution it is for.

You can bake those into the app's environment configuration before you build it, pass them as Docker environment variables, or even hand them in as URL query parameters for a quick test. For local development the repository ships a proxy config so the dev server forwards API calls to your backend, which conveniently sidesteps the cross-origin problem while you are working. None of it requires touching the backend; the web-app is a pure API client.

The three things that actually break it

When the UI loads but every action spins or fails, it is almost always one of these, and they are not the ones the old guides warn about.

The self-signed certificate. This is the big one, and it catches nearly everyone. Fineract ships with a built-in TLS certificate meant for localhost development only, and your browser does not trust it. So the UI loads over its own connection, then makes its first call to https://your-backend:8443, and the browser silently refuses because the certificate is self-signed. The fix during setup is to open the backend URL directly in the browser once and accept the warning, which tells the browser to trust it for the session. In production you do the real thing: put a proper certificate in front of Fineract so nobody has to click through anything. Until you do, "the UI does nothing" is usually the browser quietly blocking an untrusted backend.
The port and protocol mismatch. Fineract defaults to HTTPS on 8443. People decide they want plain HTTP on 8080, flip one setting, and are surprised when requests still go out as HTTPS or hit a dead port. Running without TLS takes two changes in step, turning SSL off (FINERACT_SERVER_SSL_ENABLED=false) and moving the port (FINERACT_SERVER_PORT=8080), and doing one without the other leaves you with a half-configured server that the UI cannot reach. Pick HTTPS and a real certificate and most of this disappears.
CORS, but probably not the way you have read. Older guides spend paragraphs on cross-origin errors, and for years that was a genuine wall: the browser blocked the web-app's calls because Fineract did not return the right headers. Current Fineract flips that default. Out of the box it now enables CORS with a permissive policy, so for most people the classic error simply does not appear anymore. The catch is the inverse: that wide-open default is itself something you should tighten for production, and the moment you lock the allowed origins down to your real UI domain, you reintroduce the possibility of blocking yourself if you get it wrong. So CORS is less "turn it on" and more "it is already on, now scope it carefully."

The fourth, the tenant, is less a failure than a forgotten field: if calls 401 or come back empty, check that the tenantIdentifier the UI is sending actually matches a tenant in your instance.

So, what should you do?

If you need a screen for your staff today, clone the Angular web-app, point it at your backend with the API URL, the /fineract-provider/api/v1 path, and your tenant, put a real certificate in front of Fineract, and you have a working operator console. Skip community-app entirely. Keep half an eye on both new UIs, the Mifos React rewrite and Apache's own Angular interface, but do not build a plan around either yet. Our UI options guide has the connection details written out, and if your instance is refusing to come up at all before you even get to the UI, the common first-boot errors are a better place to start than the front end.

That last mile is the part we hand you finished. Finecko runs managed Apache Fineract with the Mifos web app already on top of it, connected, behind a real certificate, with the tenant wired and the API reachable, so your team gets a working back office instead of a bare API and a shopping trip through half a dozen repositories. It is an admin console, not a field-officer mobile app, so it is honest about what it is. But if all you wanted was somewhere for your staff to approve a loan without first becoming an expert on self-signed certificates, that part is already done.