Overview
Dynamic rules expose the signing configuration OnlyFans requires for direct API
requests. Most applications rely on the Access API, which signs calls for you.
Reach for dynamic rules only when you operate your own proxy or make raw
OnlyFans requests.
OnlyFans rotates signing requirements frequently. Always pull the latest rules
before generating signatures. Build retry and cache invalidation logic into your
infrastructure.
Base URL
https://api.ofauth.com/v2/dynamic-rules
Endpoints
Get Rules
Fetch the current signing rules bundle.
Response
{
"rules": {
"static_param": "...",
"format": "...",
"start": "...",
"end": "...",
"checksum_indexes": [1, 2, 3],
"checksum_constant": 123,
"app_token": "...",
"revision": "rev_..."
},
"is_current": true,
"is_public": false,
"is_early_access": false
}
Sign Request
Generate a signature for a specific request without implementing the signing logic yourself.
POST /v2/dynamic-rules/sign
| Field | Type | Required | Description |
|---|
endpoint | string | Yes | The OnlyFans API path (e.g., /api2/v2/users/me) |
time | number | No | specific timestamp to sign with |
user-id | string | No | OnlyFans user ID |
{
"signed": {
"sign": "generated_signature_string",
"time": "1698400000000",
"user-id": "12345",
"app-token": "33d5...",
"x-of-rev": "rev_..."
},
"is_public": false,
"is_early_access": false
}
Get Status
Check the status and revision of the current rules.
GET /v2/dynamic-rules/status
{
"revision": "rev_abc...",
"is_current": true,
"access_granted": true
}
Authentication
Required Scope: RULES
Access Tiers
| Tier | Description |
|---|
| Public | Stable but potentially stale rules, available to all plans |
| Current | Latest production rules, default for standard plans |
| Early Access | Preview feed for enterprise plans (requires preview_rules permission) |
Subscribe to the rules.updated webhook via the Dashboard to be notified when OnlyFans changes the signing requirements. Best Practices
- Cache rules locally but refresh when
is_current becomes false
- Monitor for OnlyFans 400/401 responses containing “Please refresh the page” and refetch rules
- Implement exponential backoff when rules are unavailable (
503)
- If you call
/sign at scale, consider replicating the signing algorithm in your
environment using the rule payload to avoid per-request latency
