Skip to main content
Use this checklist to ensure your OFAuth integration is complete and production-ready.

Before You Start

1

Create OFAuth Account

Sign up at app.ofauth.com if you haven’t already.
2

Generate API Key

Go to Developers > API Keys and create your API key.
Keep your API key secure. Never commit it to version control or expose it client-side.
3

Configure Webhook Endpoint

Set up your webhook URL at Developers > Webhooks to receive connection events.
4

Set Redirect URIs

Add your allowed redirect URIs for the Link authentication flow.
5

Set Data Access Permissions

Configure which OnlyFans data your integration needs access to (profile, posts, messages, etc.) in your platform settings.

Development Setup

1

Use Sandbox Environment

Always develop and test using the Sandbox environment first.
Important: Always use Sandbox for testing logins. Too many login attempts on production OnlyFans accounts can trigger “suspicious activity” detection, which may cause OnlyFans to reset the account. Use Sandbox test credentials to avoid this.
2

Implement Link Flow

Set up the authentication flow to connect OnlyFans accounts:
// Initialize a Link session
const response = await fetch("https://api.ofauth.com/v2/link/init", {
  method: "POST",
  headers: {
    apikey: "YOUR_API_KEY",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    redirectUrl: "https://yourapp.com/callback",
    clientReferenceId: "your_internal_user_id"
  })
});

const { url } = await response.json();
// Redirect user to `url`
3

Handle Connection Webhooks

Process incoming webhooks to store connection IDs:
app.post("/webhooks/ofauth", async (req, res) => {
  const { type, data } = req.body;
  
  if (type === "connection.created") {
    await db.users.update({
      where: { id: data.clientReferenceId },
      data: { connectionId: data.connection.id }
    });
  }
  
  res.status(200).send("ok");
});
4

Store Connection IDs Securely

Treat connection IDs like credentials—store them encrypted in your database.

Pre-Production Checklist

API key works with test requests
Link flow completes successfully in Sandbox
Webhooks are being received and processed
Connection IDs are stored and retrievable
Access API calls work with stored connection IDs

Error Handling

Ensure your integration handles these scenarios:
ScenarioYour Response
SESSION_EXPIRED errorPrompt user to re-authenticate via Link
RATE_LIMIT_EXCEEDED errorImplement exponential backoff
connection.expired webhookNotify user, initiate re-auth flow
Network/timeout errorsRetry with backoff

Session Expiration Flow

async function handleOFAuthRequest(endpoint, options) {
  const response = await fetch(`https://api.ofauth.com${endpoint}`, {
    ...options,
    headers: {
      apikey: process.env.OFAUTH_API_KEY,
      "x-connection-id": connectionId,
      ...options.headers
    }
  });
  
  if (!response.ok) {
    const error = await response.json();
    
    if (error.type === "SESSION_EXPIRED") {
      // Mark connection as needing re-auth
      await markConnectionExpired(connectionId);
      // Notify user
      await notifyUserReauthRequired(userId);
      throw new ReAuthRequiredError();
    }
    
    throw new OFAuthError(error);
  }
  
  return response.json();
}

Go Live Checklist

1

Switch to Production API Key

Replace your Sandbox API key with your production key.
Production and Sandbox use the same API endpoints. The environment is determined by your API key.
2

Verify Webhook Signatures

Ensure you’re validating webhook signatures in production:
const crypto = require("crypto");

function verifyWebhook(payload, signature, secret) {
  const [timestamp, hash] = signature.split(",").map(p => p.split("=")[1]);
  const expected = crypto
    .createHmac("sha256", secret)
    .update(`${timestamp}.${payload}`)
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(expected));
}
3

Set Up Monitoring

Monitor for:
  • Webhook delivery failures
  • Rate limit warnings
  • Session expiration rates
  • API error rates
4

Document for Your Users

Create user-facing documentation explaining:
  • Why you need OnlyFans access
  • What data you’ll access
  • How to disconnect their account

Quick Reference

Required Headers

HeaderValueRequired
apikeyYour OFAuth API keyAlways
x-connection-idConnection ID (e.g., conn_abc123)For Access API
Content-Typeapplication/jsonFor POST/PUT/PATCH

Key Endpoints

PurposeEndpoint
Verify API keyGET /v2/account/whoami
Start auth flowPOST /v2/link/init
List connectionsGET /v2/connections
Get user profileGET /v2/access/self
List subscribersGET /v2/access/subscribers

Webhook Events

EventWhen
connection.createdUser completes authentication
connection.updatedConnection details change
connection.expiredSession expires or is invalidated

Need Help?

Quickstart Guide

Get your first API call working

Error Handling

Handle errors gracefully

Sandbox Environment

Test safely without affecting real accounts

Contact Support

Get help from our team