> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ofauth.com/llms.txt
> Use this file to discover all available pages before exploring further.
# How OFAuth Works
> Core concepts, architecture, and why OFAuth exists
## The Big Picture
OFAuth is **infrastructure for OnlyFans integrations**—like Plaid for banking, but for OnlyFans. We handle authentication, session management, and API complexity so you can focus on building your product.
```mermaid theme={null}
graph LR
A[Your Platform] --> B[OFAuth]
B --> C[OnlyFans]
C --> B
B --> A
```
**You focus on your product. OFAuth handles OnlyFans.**
***
## Why OFAuth Exists
OnlyFans has **no public API**. Building integrations requires:
* **Reverse engineering** authentication flows, request signing, and session management
* **Constant maintenance** as OnlyFans changes their API (sometimes multiple times per day)
* **Security liability** from handling user credentials
OFAuth solves this:
| Challenge | OFAuth Solution |
| ------------------------- | ----------------------------------------------------- |
| No public API | Managed Access API with typed endpoints |
| Authentication complexity | Link handles login, 2FA, captcha |
| Credential security | Zero credential storage—you only store Connection IDs |
| Signing infrastructure | Request signing managed by Dynamic Rules engine |
| Proxy infrastructure | Proxy management and request routing handled for you |
Teams report spending 3-6 months building OnlyFans integrations in-house. With OFAuth, you're live in days.
***
## Core Concepts
### Connections
A **Connection** represents a linked OnlyFans account. When a user authenticates through OFAuth, you receive a Connection ID that you use to access their data.
Just the Connection ID (e.g., `conn_abc123`)—a simple string in your database
Sessions, credentials, expiration, re-authentication—all the complexity
**Think of a Connection ID like an access token**—it represents permission to act on behalf of a user.
***
### Link API
The **Link API** handles user authentication. It's how OnlyFans users connect their accounts to your platform.
Your backend calls OFAuth to get an authentication URL
They log into OnlyFans on a secure OFAuth-hosted page
OFAuth redirects back with a Connection ID you can use
**Link is similar to OAuth**—users see a branded consent flow, enter their credentials on a trusted page, and your app receives a token (the Connection ID) to use.
You never see or handle OnlyFans passwords. Authentication happens entirely on OFAuth's secure pages.
***
### Access API
The **Access API** lets you make OnlyFans API requests using a Connection ID. It handles request signing, proxy routing, and session management so you don't have to build that infrastructure.
```
Your App → Access API → OnlyFans → Access API → Your App
↑
Handles signing, proxies,
and session management
```
**Two ways to use it:**
| Method | Best For |
| --------------------- | ------------------------------------------------------------------------- |
| **Managed Endpoints** | Common operations like fetching profiles, posts, messages—typed responses |
| **Proxy Endpoints** | Any OnlyFans API path—pass-through for anything we haven't wrapped yet |
Most integrations use Managed Endpoints. The Proxy gives you access to any OnlyFans API path with signing and session management handled.
***
### Dynamic Rules (Advanced)
OnlyFans requires cryptographically signed requests. These signing rules **change frequently**—sometimes multiple times per day.
**Most users don't need Dynamic Rules.** If you're using the Access API or SDK, signing is automatic. Dynamic Rules are only for advanced use cases where you call OnlyFans APIs directly.
| If you're using... | Do you need Dynamic Rules? |
| --------------------- | ---------------------------------- |
| Access API | No—signing is automatic |
| JavaScript SDK | No—handled by the SDK |
| Direct OnlyFans calls | Yes—you need current signing rules |
***
## The Complete Flow
Here's how a typical OFAuth integration works:
```mermaid theme={null}
sequenceDiagram
participant App as Your App
participant Auth as Link API
participant User
participant Access as Access API
participant OF as OnlyFans
App->>Auth: Create session
Auth-->>App: Auth URL
App->>User: Redirect to auth URL
User->>Auth: Enter credentials
Auth->>User: Redirect to success URL
User->>App: Connection ID received
App->>Access: Fetch data (with Connection ID)
Access->>OF: Signed request
OF-->>Access: Data
Access-->>App: Response
```
1. **Link** creates the connection (one-time per user)
2. **Access** fetches data using that connection (ongoing)
***
## Glossary
| Term | Definition |
| ----------------- | -------------------------------------------------------------------- |
| **Connection** | A linked OnlyFans account, represented by a Connection ID |
| **Connection ID** | Unique identifier (e.g., `conn_abc123`) used to access a user's data |
| **Link Session** | Temporary authentication flow—expires after 1 hour |
| **API Key** | Your OFAuth API key for authenticating requests |
| **Dynamic Rules** | Current OnlyFans request signing parameters |
***
## Next Steps
See this in action with working code
How we protect credentials and data