Skip to main content
OFAuth webhooks push events to your server when connections change or system events occur. No polling required.

Configuration

Configure in the OFAuth Dashboard:
  • Set webhook endpoint URL (HTTPS required)
  • Select events to subscribe to
  • View delivery history

Event Types

Connection Events

EventTrigger
connection.createdNew connection established
connection.updatedConnection details changed
connection.expiredConnection lost/invalidated

System Events

EventTrigger
rules.updatedDynamic rules changed

Payload Format

All connection-related webhook events (connection.created, connection.updated, connection.expired) share the same payload structure:

connection.created

{
  "type": "connection.created",
  "timestamp": "2024-01-15T10:30:00Z",
  "data": {
    "clientReferenceId": "user_456",
    "connection": {
      "id": "conn_abc123",
      "status": "active",
      "permissions": ["profile:read", "posts:read"],
      "userData": {
        "id": "of_user_456",
        "name": "Jane Doe",
        "username": "janedoe",
        "avatar": "https://cdn.onlyfans.com/avatar.jpg"
      }
    }
  }
}

connection.updated

{
  "type": "connection.updated",
  "timestamp": "2024-01-15T11:00:00Z",
  "data": {
    "clientReferenceId": "user_456",
    "connection": {
      "id": "conn_abc123",
      "status": "active",
      "permissions": ["profile:read", "posts:read", "messages:read"],
      "userData": {
        "id": "of_user_456",
        "name": "Jane Doe",
        "username": "janedoe",
        "avatar": "https://cdn.onlyfans.com/avatar.jpg"
      }
    }
  }
}

connection.expired

{
  "type": "connection.expired",
  "timestamp": "2024-01-15T12:00:00Z",
  "data": {
    "clientReferenceId": "user_456",
    "connection": {
      "id": "conn_abc123",
      "status": "expired"
    }
  }
}
The connection.created webhook is the recommended way to receive connection IDs. Use data.clientReferenceId (which you provided when initializing Link) to map the connection to the correct user in your database.

Delivery & Retries

  • Retry policy: Exponential backoff, max 5 attempts
  • Timeout: 10 seconds per request
  • Ordering: In-order per connection ID
Respond with 2xx within 10 seconds.

Signature Verification

Each request includes OFAuth-Signature header: 
OFAuth-Signature: t=1234567890,v1=abc123...
Verify by:
  1. Extract timestamp (t) and signature (v1)
  2. Reject if timestamp > 5 minutes old
  3. Compute HMAC-SHA256 of {timestamp}.{raw_body} with signing secret
  4. Compare using constant-time comparison

Implementation Checklist

  1. Parse application/json body
  2. Verify signature before processing
  3. Route by type
  4. Return 2xx within 10 seconds
  5. Be idempotent (store event IDs)

Troubleshooting

Ensure endpoint is reachable and responds 2xx within 10 seconds.
Verify endpoint URL and event subscriptions in Dashboard.
Use raw request body (not parsed), verify signing secret matches.

Next Steps

Connections

Manage connection lifecycle

Error Handling

Handle webhook errors