1. Signing Requests
  2. How to sign requests

Signing Requests

How to sign requests

Using the signing API, you can sign requests to the OnlyFans API. This is necessary to authenticate your requests and ensure that they are valid.

There's two ways to integrate the signing API into your application:

Sign Request Endpoint

Using the Sign Request endpoint is the easiest way to integrate the signing API into your application. You can use the endpoint to sign requests for any of the OnlyFans API endpoints.

To get started, you'll need an access key with rules permissions. You can create an access key here.

Making a Sign Request

Make a POST request to https://api.ofauth.com/v2/dynamic-rules/sign with:

Headers

  • Content-Type: application/json
  • apiKey: your_api_key_here

Request Body

        {
	"endpoint": "https://onlyfans.com/api2/v2/users/me", // Required: The OF API endpoint
	"user_id": "123456789", // Optional: The OF user ID making the request
	"timestamp": 1726600781032 // Optional: Current timestamp in ms
}
TIP

The user_id is only required if you include the user-id header in your OF API request. If timestamp is not provided, the current server time will be used.

Response

        {
	"signed": {
		"sign": "21234:dfgoiuh92348jnkldflksdfj:34f:279349",
		"time": "1799981647642",
		"app-token": "9as8fhjioasjdfhoiaf"
	},
	"is_public": true,
	"is_early_access": true,
	"is_exclusive_access": true
}

Using the Signed Values

Add the values from the response as headers in your OnlyFans API request:

        const response = await fetch('https://onlyfans.com/api2/v2/users/me', {
	headers: {
		sign: signed.sign,
		time: signed.time,
		'app-token': signed['app-token']
		// ... other required OF headers
	}
});

Rate Limits

The signing API has the following rate limits:

Sign Endpoint (/v2/dynamic-rules/sign)

  • 30 requests per minute
  • Headers will include remaining requests and reset time

Rules Endpoint (/v2/dynamic-rules)

  • 1 request per minute
  • Headers will include remaining requests and reset time
  • We recommend caching the rules locally

When you exceed the rate limit, you'll receive a 429 response with headers:

        X-RateLimit-Limit: 20
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1706447400
TIP

To avoid rate limits:

  • Cache the rules locally and update them periodically
  • For high-volume needs, consider self-signing requests
  • Monitor the X-RateLimit headers to stay within limits

Self-sign Requests

For high-volume applications, you can self-sign requests to avoid the API rate limits:

  1. Get the latest dynamic rules from the Rules Endpoint:
        // GET https://api.ofauth.com/v2/dynamic-rules
const rules = await fetch('https://api.ofauth.com/v2/dynamic-rules', {
	headers: {
		apiKey: 'your_api_key_here'
	}
}).then((r) => r.json());

  1. Implement the signing algorithm in your application.

  2. Use the generated values in your OF API requests:

        const { sign, time } = generateSignature(rules, {
	endpoint: 'https://onlyfans.com/api2/v2/users/me',
	userId: '123456789', // optional
	timestamp: Date.now() // optional
});

const response = await fetch('https://onlyfans.com/api2/v2/users/me', {
	headers: {
		sign: sign,
		time: time,
		'app-token': rules.app_token
		// ... other required OF headers
	}
});
WARNING

The rules change periodically. You should:

  • Cache the rules locally
  • Update them every few hours
  • Have fallback logic if signatures fail

Examples

Check out the examples on the public Github repository.

Previous <- What does it mean to sign a request
Next Signing algorithm ->