Skip to main content

Security Architecture

OFAuth is designed with a zero-credential storage architecture—neither your servers nor OFAuth ever store OnlyFans credentials. Credentials are used once during authentication and immediately discarded.

Credential Handling

Your Servers

Only store Connection IDs—simple string tokens like conn_abc123. No credentials, no session data.

OFAuth Infrastructure

Zero credential storage. Credentials are used once to establish a session, then immediately discarded. Only active session tokens are stored encrypted.

What You Store vs What OFAuth Stores

DataYour ServersOFAuth
Connection ID
OnlyFans credentials❌ Never❌ Never stored
Session tokens❌ Never✅ Encrypted (active sessions only)
User content/dataYour choice❌ Not stored
Compliance benefit: Neither you nor OFAuth store credentials. OFAuth only maintains encrypted session tokens for active connections, minimizing security exposure.

Encryption Standards

All data in OFAuth is protected with industry-standard encryption:
  • In transit: TLS 1.3 for all API communications
  • At rest: AES-256 encryption for session data

Data Flow

OFAuth operates as a transparent proxy. We don’t store OnlyFans content data:
1

Request from your app

Your server sends a request to OFAuth with a Connection ID
2

OFAuth signs and forwards

We sign the request using the connection’s session and forward to OnlyFans
3

Response returned

OnlyFans response is returned directly to you—we don’t store content
What OFAuth stores: Connection metadata (status, timestamps), encrypted session data, and usage metrics for billing. What OFAuth doesn’t store: OnlyFans content, messages, media, or user data.

Infrastructure Security

Cloud Infrastructure

Hosted on enterprise cloud providers with SOC 2 Type II certification

Network Security

All traffic encrypted, DDoS protection, WAF-protected endpoints

Access Controls

Role-based access, MFA required, audit logging for all operations

Monitoring

24/7 monitoring, automated alerting, incident response procedures

Session Management

OFAuth automatically manages OnlyFans session lifecycle:
EventOFAuth ActionYour Action
Session expiresAttempts automatic refreshNone required
Refresh failsMarks connection as expiredRe-authenticate user via Link
2FA requiredNotifies via webhookPrompt user to re-authenticate
Set up webhooks to get notified when connections need re-authentication. This lets you proactively reach out to users before their integration stops working.

Compliance Considerations

Using OFAuth simplifies your compliance posture:
OFAuth infrastructure is hosted on SOC 2 Type II certified cloud providers. Contact us for detailed security documentation.
OFAuth processes data as a data processor on your behalf. We provide DPAs upon request and support data deletion requests.
Contact us for information about data residency options for enterprise deployments.

Data Retention

Data TypeRetentionNotes
Connection metadataUntil deletedStatus, timestamps, permissions
Session tokensActive connections onlyEncrypted, auto-expire
API request logs30 daysFor debugging, no content stored
OnlyFans contentNever storedPass-through only
Webhook delivery logs7 daysFor retry and debugging
When you delete a connection via the API, all associated data is permanently removed.

Security Contact

For security concerns or to report vulnerabilities:

Security Team

[email protected]