Skip to main content
Use this checklist to ensure your OFAuth integration is complete and production-ready.

Before You Start

1

Create OFAuth Account

Sign up at app.ofauth.com if you haven’t already.
2

Complete Platform Profile

Set up your platform profile (app name, description, website, privacy policy) via the setup wizard in Dashboard > Client Apps.
3

Create a Client App

Create a client app and choose your integration type (Redirect, Embed, or Whitelabel). Configure allowed redirect URIs or origins for your app. Copy your clientAppId.
4

Generate API Key

Go to API Keys and create your API key.
Keep your API key secure. Never commit it to version control or expose it client-side.
5

Set Data Access Permissions

Configure which OnlyFans data your integration needs access to (profile, posts, messages, etc.) in Dashboard > Client Apps > Settings > Access Permissions.
6

Configure Webhook Endpoint

Set up your webhook URL at Webhooks to receive connection events.

Development Setup

1

Use Sandbox Environment

Always develop and test using the Sandbox environment first.
Important: Always use Sandbox for testing logins. Too many login attempts on production OnlyFans accounts can trigger “suspicious activity” detection, which may cause OnlyFans to reset the account. Use Sandbox test credentials to avoid this.
2

Implement Link Flow

Set up the authentication flow to connect OnlyFans accounts:
// Initialize a Link session
const response = await fetch("https://api.ofauth.com/v2/link/init", {
  method: "POST",
  headers: {
    apikey: "YOUR_API_KEY",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    redirectUrl: "https://yourapp.com/callback",
    clientReferenceId: "your_internal_user_id"
  })
});

const { url } = await response.json();
// Redirect user to `url`
3

Handle Connection Webhooks

Process incoming webhooks to store connection IDs:
app.post("/webhooks/ofauth", async (req, res) => {
  const { type, data } = req.body;
  
  if (type === "connection.created") {
    await db.users.update({
      where: { id: data.clientReferenceId },
      data: { connectionId: data.connection.id }
    });
  }
  
  res.status(200).send("ok");
});
4

Store Connection IDs Securely

Treat connection IDs like credentials—store them encrypted in your database.

Pre-Production Checklist

API key works with test requests
Link flow completes successfully in Sandbox
Webhooks are being received and processed
Connection IDs are stored and retrievable
Access API calls work with stored connection IDs

Error Handling

Ensure your integration handles these scenarios:
ScenarioYour Response
SESSION_EXPIRED errorPrompt user to re-authenticate via Link
RATE_LIMIT_EXCEEDED errorImplement exponential backoff
connection.expired webhookNotify user, initiate re-auth flow
Network/timeout errorsRetry with backoff

Session Expiration Flow

async function handleOFAuthRequest(endpoint, options) {
  const response = await fetch(`https://api.ofauth.com${endpoint}`, {
    ...options,
    headers: {
      apikey: process.env.OFAUTH_API_KEY,
      "x-connection-id": connectionId,
      ...options.headers
    }
  });
  
  if (!response.ok) {
    const error = await response.json();
    
    if (error.type === "SESSION_EXPIRED") {
      // Mark connection as needing re-auth
      await markConnectionExpired(connectionId);
      // Notify user
      await notifyUserReauthRequired(userId);
      throw new ReAuthRequiredError();
    }
    
    throw new OFAuthError(error);
  }
  
  return response.json();
}

Go Live Checklist

1

Switch to Production API Key

Replace your Sandbox API key with your production key.
Production and Sandbox use the same API endpoints. The environment is determined by your API key.
2

Verify Webhook Signatures

Ensure you’re validating webhook signatures in production:
const crypto = require("crypto");

function verifyWebhook(payload, signature, secret) {
  const [timestamp, hash] = signature.split(",").map(p => p.split("=")[1]);
  const expected = crypto
    .createHmac("sha256", secret)
    .update(`${timestamp}.${payload}`)
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(expected));
}
3

Set Up Monitoring

Monitor for:
  • Webhook delivery failures
  • Rate limit warnings
  • Session expiration rates
  • API error rates
4

Document for Your Users

Create user-facing documentation explaining:
  • Why you need OnlyFans access
  • What data you’ll access
  • How to disconnect their account

Quick Reference

Required Headers

HeaderValueRequired
apikeyYour OFAuth API keyAlways
x-connection-idConnection ID (e.g., conn_abc123)For Access API
Content-Typeapplication/jsonFor POST/PUT/PATCH

Key Endpoints

PurposeEndpoint
Verify API keyGET /v2/account/whoami
Start auth flowPOST /v2/link/init
List connectionsGET /v2/connections
Get user profileGET /v2/access/self
List subscribersGET /v2/access/subscribers

Webhook Events

EventWhen
connection.createdUser completes authentication
connection.updatedConnection details change
connection.expiredSession expires or is invalidated

Need Help?

Quickstart Guide

Get your first API call working

Error Handling

Handle errors gracefully

Sandbox Environment

Test safely without affecting real accounts

Contact Support

Get help from our team