Skip to main content

Security Architecture

OFAuth is designed with a zero-credential architecture—your servers never see or store OnlyFans credentials.

Credential Handling

Your Servers

Only store Connection IDs—simple string tokens like conn_abc123. No credentials, no session data.

OFAuth Infrastructure

Credentials encrypted at rest with AES-256. Sessions managed in isolated, encrypted storage.

What You Store vs What OFAuth Stores

DataYour ServersOFAuth
Connection ID
OnlyFans credentials❌ Never✅ Encrypted
Session tokens❌ Never✅ Encrypted
User content/dataYour choice❌ Not stored
Compliance benefit: Since you never handle credentials, you avoid the security audit scope that comes with storing sensitive authentication data.

Encryption Standards

All data in OFAuth is protected with industry-standard encryption:
  • In transit: TLS 1.3 for all API communications
  • At rest: AES-256 encryption for stored credentials and sessions
  • Key management: Keys rotated regularly, stored in hardware security modules (HSMs)

Data Flow

OFAuth operates as a transparent proxy. We don’t store OnlyFans content data:
1

Request from your app

Your server sends a request to OFAuth with a Connection ID
2

OFAuth signs and forwards

We sign the request using the connection’s session and forward to OnlyFans
3

Response returned

OnlyFans response is returned directly to you—we don’t store content
What OFAuth stores: Connection metadata (status, timestamps), encrypted session data, and usage metrics for billing. What OFAuth doesn’t store: OnlyFans content, messages, media, or user data.

Infrastructure Security

Cloud Infrastructure

Hosted on enterprise cloud providers with SOC 2 Type II certification

Network Security

All traffic encrypted, DDoS protection, WAF-protected endpoints

Access Controls

Role-based access, MFA required, audit logging for all operations

Monitoring

24/7 monitoring, automated alerting, incident response procedures

API Key Security

Your OFAuth API key authenticates requests from your servers:
Never expose your API key in client-side code. API keys should only be used in server-side code and stored in environment variables.
Best practices:
  • Store API keys in environment variables, not code
  • Use different API keys for development and production
  • Rotate keys periodically
  • Monitor API key usage in your dashboard

Session Management

OFAuth automatically manages OnlyFans session lifecycle:
EventOFAuth ActionYour Action
Session expiresAttempts automatic refreshNone required
Refresh failsMarks connection as expiredRe-authenticate user via Link
2FA requiredNotifies via webhookPrompt user to re-authenticate
Set up webhooks to get notified when connections need re-authentication. This lets you proactively reach out to users before their integration stops working.

Compliance Considerations

Using OFAuth simplifies your compliance posture:
OFAuth infrastructure is hosted on SOC 2 Type II certified cloud providers. Contact us for detailed security documentation.
OFAuth processes data as a data processor on your behalf. We provide DPAs upon request and support data deletion requests.
Contact us for information about data residency options for enterprise deployments.

Security Contact

For security concerns or to report vulnerabilities: