n8n self-host with Bexio integration: from Docker-Compose to a dunning workflow (May 2026)

What is this about?

This guide takes a fiduciary or SME IT from zero to a production-ready n8n instance with Bexio integration. You install n8n via Docker-Compose with PostgreSQL as the backend, register an OAuth app in the Bexio developer portal, receive webhook events and build a first workflow that on each new Bexio invoice checks the dunning status and schedules a reminder mail if necessary.

The stack is built for EU hosting and Swiss data protection. n8n runs on a Hetzner server in Falkenstein or Helsinki, Postgres in the same compose file, reverse proxy with Caddy or Traefik for automatic Let's Encrypt SSL. Bexio is Swiss cloud anyway – so the whole workflow has no US touchpoints.

Prerequisites: a Bexio account with the accounting module (from CHF 39/month), a server with at least 2 vCPU and 4 GB RAM (Hetzner CX22 at CHF 5/month is enough to start), a subdomain (e.g. n8n.your-domain.ch) with Cloudflare DNS. Expected setup time: 4-6 hours for an experienced admin, 1-2 days for first-timers.

Why n8n and why self-host?

n8n is the leading open-source workflow tool in the EU region as of May 2026. With over 60,000 GitHub stars, a fair-code licence (commercial use allowed, competing SaaS not), Docker-native deployment and more than 800 prebuilt integrations (including Bexio), it is the only serious alternative to Make, Zapier and Microsoft Power Automate for Swiss SMEs.

Self-host versus n8n Cloud is decided mainly by data protection. n8n Cloud runs in EU region, but business data passing through (Bexio invoices, client data, mail content) briefly sits at n8n GmbH in Berlin during workflow execution. For fiduciary offices with professional secrecy and lawyer confidentiality, self-host is the clean path. Plus: cloud cost climbs to CHF 50-200/month above 5 workflows; self-host on Hetzner runs at CHF 5-15.

The Bexio integration is the lever for the largest Swiss SME universe. As of May 2026, Bexio has over 90,000 Swiss SME customers, an open REST API with OAuth 2.0 auth, webhook events for all main entities (invoice, contact, order, project). Every fiduciary has clients on Bexio – n8n is the tool that chains Bexio data with everything else: email, AI classification, CRM, Slack, Telegram, own database.

How the setup hangs together

The architecture has four layers: server base (Docker + Traefik/Caddy + Postgres), n8n container, Bexio OAuth app, workflow logic.

Server base: a Linux server with Docker-Compose. Reverse proxy (Traefik or Caddy) terminates TLS via Let's Encrypt, routes n8n.your-domain.ch to the n8n container. Postgres container as backend for n8n (workflow definitions, execution history, credentials encrypted).

n8n container: ghcr.io/n8n-io/n8n in the current stable version 1.65+ (May 2026). Environment variables set the Postgres connect (DB_TYPE=postgresdb, DB_POSTGRESDB_HOST, etc.), the encryption key for credentials (N8N_ENCRYPTION_KEY – 32 characters, securely generated), the webhook URL (WEBHOOK_URL=https://n8n.your-domain.ch/) and the auth mode (N8N_BASIC_AUTH_ACTIVE=true initially, later OIDC/SAML).

Bexio OAuth: in the Bexio developer portal (developer.bexio.com), register an OAuth app. Redirect URI set to https://n8n.your-domain.ch/rest/oauth2-credential/callback. Select scopes: kb_invoice_show, contact_show, accounting, monitoring_show – minimum scopes needed for the dunning workflow. Note client ID and client secret.

Webhook receiver: n8n offers a webhook trigger node that provides its own URL. Enter that URL in Bexio under "Settings → Webhooks", select trigger events "invoice created" and "invoice sent". Bexio POSTs JSON to n8n on each event.

Workflow logic for dunning: trigger node receives webhook. HTTP request node fetches the current invoice with due date via OAuth token. IF node checks: is date > today + 30 days? If yes, continue. HTTP request pulls dunning status and customer master data. IF node checks: did the customer already get a first reminder? If no, an email node sends the first reminder via Brevo SMTP. A Bexio node sets the dunning status to "reminder sent". A Postgres node logs the event into an audit table.

The audit log matters for compliance: every automatic dunning is recorded with timestamp, invoice number, customer and mail content. On complaints it is provable what was sent automatically and when.

n8n + Bexio in 10 steps

1. 01Step 1 – set up Hetzner server: Hetzner cloud console, CX22 (2 vCPU, 4 GB RAM, 40 GB SSD, CHF 5/month) in Falkenstein. Upload SSH key at creation. After boot: `ssh root@<ip>`, `apt update && apt upgrade -y`, `ufw allow 22,80,443`, `ufw enable`.
2. 02Step 2 – install Docker: `curl -fsSL https://get.docker.com | sh`. `apt install -y docker-compose-plugin`. `docker run hello-world` to test. Create a user, add to docker group: `adduser n8nadmin && usermod -aG docker n8nadmin`.
3. 03Step 3 – DNS and reverse proxy: in Cloudflare an A record `n8n.your-domain.ch → <Hetzner IP>` as DNS-only. Create `/opt/n8n`. docker-compose.yml with Traefik service (image traefik:v3.2) + Letsencrypt resolver. Start Traefik first, `docker compose up -d traefik`, check logs for the TLS certificate.
4. 04Step 4 – Postgres and n8n in compose: extend docker-compose.yml: postgres:17-alpine with volume `pgdata:/var/lib/postgresql/data`, env POSTGRES_PASSWORD from .env. n8n service ghcr.io/n8n-io/n8n:1.65 with env DB_TYPE=postgresdb, DB_POSTGRESDB_HOST=postgres, DB_POSTGRESDB_USER=n8n, N8N_ENCRYPTION_KEY=`openssl rand -hex 32`, WEBHOOK_URL=https://n8n.your-domain.ch/. Traefik labels for host routing.
5. 05Step 5 – bring n8n up: `docker compose up -d`. Check `docker logs n8n -f`. First login at https://n8n.your-domain.ch – n8n asks for owner account creation. Set mail and password. Enable 2FA in account settings.
6. 06Step 6 – register Bexio OAuth app: at developer.bexio.com, "Create new application". Name "n8n Production", redirect URI exactly `https://n8n.your-domain.ch/rest/oauth2-credential/callback`. Scopes: kb_invoice_show, contact_show, accounting, monitoring_show, kb_invoice_edit (to write dunning status). Note client ID and client secret.
7. 07Step 7 – Bexio credentials in n8n: under "Credentials → New → Bexio OAuth2 API" enter: client ID and secret from step 6, Auth URL `https://idp.bexio.com/realms/bexio/protocol/openid-connect/auth`, token URL `https://idp.bexio.com/realms/bexio/protocol/openid-connect/token`. Click "Connect my account", Bexio login, Authorize. Credential is saved.
8. 08Step 8 – set up the webhook in Bexio: in the Bexio UI under "Settings → API & Interfaces → Webhooks" create a new webhook. URL: production URL generated from the n8n workflow editor with a webhook trigger node (e.g. https://n8n.your-domain.ch/webhook/abc-123). Events: "invoice created", "invoice sent".
9. 09Step 9 – build the "dunning status" workflow: in n8n a new workflow. Trigger: webhook (POST). Node 2: HTTP request → Bexio API GET /2.0/kb_invoice/{{$json.id}} with OAuth credential. Node 3: IF node – `{{$json.is_valid_to < $today.minus({days: 30}).toISO()}}`. Node 4 (true path): HTTP request → GET /2.0/contact/{{$json.contact_id}}. Node 5: email send via Brevo SMTP – recipient from contact data, body with invoice details. Node 6: HTTP request → PUT /2.0/kb_invoice/{{$json.id}} with `{"mwst_is_net":true,...}` and memo "reminder on {{$today}} via n8n". Node 7: Postgres insert into audit table. Save + activate.
10. 10Step 10 – test, monitor, back up: create a test invoice in Bexio, the webhook should fire, check the n8n execution log. On success, check the "dunning status" field in Bexio and the reminder in the mailbox. Monitoring: n8n metrics endpoint with Prometheus scraper (`N8N_METRICS=true`), Grafana dashboard for workflow success rate. Backup: `pg_dump` daily via cron into S3-compatible storage (e.g. Backblaze B2 with object lock).

When n8n + Bexio pays off

This setup is the right choice when (a) you have 5+ recurring Bexio processes (dunning, invoicing clients, accounting export, lead creation), (b) data volume goes beyond Excel (50+ items per month), and (c) data should or must stay in Bexio (no external cloud workflow providers).

Typical cases: a fiduciary manages 80 clients in Bexio and wants to send quarterly closing reminders for each client automatically. An SME with Bexio invoicing wants every lead from the web form auto-created as a contact, with a welcome mail sent. A fiduciary office wants every Bexio booking AI-classified (via LiteLLM to Mistral) by cost centre and account.

For single-use cases with fewer than 5 items per month, n8n is overkill – a simple cron-job script or a Bexio marketplace add-on is lighter. Once 3+ workflows build on each other, the investment in the n8n platform pays off.

When n8n + Bexio is not the fit

This setup is the wrong choice when (a) the team has no Docker and Linux admin – self-hosted n8n requires ongoing maintenance (updates, backup, monitoring). (b) Bexio is not the leading system – with Abacus or SAP, their API is the better path. (c) Workflows are time-critical (real-time, < 5 seconds) – n8n has webhook latency of about 1-3 seconds plus Bexio API latency.

Another pitfall: choosing n8n Cloud without clarifying the data-protection trade-off. The cloud offer is more convenient, but with professional secrecy self-host is the only clean variant. Anyone bound by secrecy and still on n8n Cloud risks an EDÖB confrontation on a data incident.

Do not forget: a Hetzner server without SSH 2FA. Self-host n8n requires server hygiene – otherwise the clean data-protection story is undone by an insecure server config. Minimum standard: SSH key only, fail2ban, automatic security updates, monitored Docker stack.

Trade-offs

FAQ

Related topics

Sources

1. n8n self-host documentation – Docker Compose with PostgreSQL · 2026-05
2. Bexio Developer Portal – OAuth 2.0 authentication and webhooks · 2026-05
3. n8n Bexio node reference · 2026-04
4. Traefik v3 – Let's Encrypt resolver and Docker provider · 2026-03
5. Hetzner Cloud – CX server line and Falkenstein region · 2026-05