Skip to main content

The Big Picture

OFAuth is like Plaid for OnlyFans. Just as Plaid lets apps connect to bank accounts without handling banking credentials, OFAuth lets your platform connect to OnlyFans accounts without managing authentication complexity. You focus on your product. OFAuth handles OnlyFans.

Core Concepts

Connections

A Connection represents a linked OnlyFans account. When a user authenticates through OFAuth, you receive a Connection ID that you use to access their data.

What You Store

Just the Connection ID (e.g., conn_abc123)—a simple string in your database

What OFAuth Handles

Sessions, credentials, expiration, re-authentication—all the complexity
Think of a Connection ID like an access token—it represents permission to act on behalf of a user.
The Link API handles user authentication. It’s how OnlyFans users connect their accounts to your platform.
1

Create a Link session

Your backend calls OFAuth to get an authentication URL
2

User authenticates

They log into OnlyFans on a secure OFAuth-hosted page
3

Receive a Connection

OFAuth redirects back with a Connection ID you can use
Link is similar to OAuth—users see a branded consent flow, enter their credentials on a trusted page, and your app receives a token (the Connection ID) to use.
You never see or handle OnlyFans passwords. Authentication happens entirely on OFAuth’s secure pages.

Access API

The Access API lets you fetch OnlyFans data using a Connection ID. It’s a proxy that handles request signing, session management, and API complexity. 
Your App → Access API → OnlyFans → Access API → Your App

     Handles signing, retries,
     rate limits, and errors
Two ways to use it:
MethodBest For
Managed EndpointsCommon operations like fetching profiles, posts, messages—stable, typed responses
Proxy EndpointsAny OnlyFans API path—raw responses for advanced use cases
Most integrations only use Managed Endpoints. The Proxy is there when you need something specific that isn’t covered.

Dynamic Rules (Advanced)

OnlyFans requires cryptographically signed requests. These signing rules change frequently—sometimes multiple times per day.
Most users don’t need Dynamic Rules. If you’re using the Access API or SDK, signing is automatic. Dynamic Rules are only for advanced use cases where you call OnlyFans APIs directly.
If you’re using…Do you need Dynamic Rules?
Access APINo—signing is automatic
JavaScript SDKNo—handled by the SDK
Direct OnlyFans callsYes—you need current signing rules

The Complete Flow

Here’s how a typical OFAuth integration works:
  1. Link creates the connection (one-time per user)
  2. Access fetches data using that connection (ongoing)

Glossary

TermDefinition
ConnectionA linked OnlyFans account, represented by a Connection ID
Connection IDUnique identifier (e.g., conn_abc123) used to access a user’s data
Link SessionTemporary authentication flow—expires after 1 hour
API KeyYour OFAuth API key for authenticating requests
Dynamic RulesCurrent OnlyFans request signing parameters

Next Steps

2-Minute Quickstart

See this in action with working code

Security Model

How we protect credentials and data