> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ofauth.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Integration Checklist

> Everything you need before going to production with OFAuth

Use this checklist to ensure your OFAuth integration is complete and production-ready.

## Before You Start

<Steps>
  <Step title="Create OFAuth Account">
    Sign up at [app.ofauth.com](https://app.ofauth.com) if you haven't already.
  </Step>

  <Step title="Complete Platform Profile">
    Set up your platform profile (app name, description, website, privacy policy) via the setup wizard in [Dashboard > Client Apps](https://app.ofauth.com/platform/apps).
  </Step>

  <Step title="Create a Client App">
    Create a client app and choose your integration type (Redirect, Embed, or Whitelabel). Configure allowed redirect URIs or origins for your app. Copy your `clientAppId`.
  </Step>

  <Step title="Generate API Key">
    Go to [API Keys](https://app.ofauth.com/platform/developers/keys) and create your API key.

    <Warning>
      Keep your API key secure. Never commit it to version control or expose it client-side.
    </Warning>
  </Step>

  <Step title="Set Data Access Permissions">
    Configure which OnlyFans data your integration needs access to (profile, posts, messages, etc.) in [Dashboard > Client Apps > Settings > Access Permissions](https://app.ofauth.com/platform/apps/settings).
  </Step>

  <Step title="Configure Webhook Endpoint">
    Set up your webhook URL at [Webhooks](https://app.ofauth.com/platform/developers/webhooks) to receive System Webhook Events for connection changes.
  </Step>
</Steps>

***

## Development Setup

<Steps>
  <Step title="Use Sandbox Environment">
    Always develop and test using the [Sandbox environment](/setup/sandbox) first.

    <Warning>
      **Important**: Always use Sandbox for testing logins. Too many login attempts on production OnlyFans accounts can trigger "suspicious activity" detection, which may cause OnlyFans to reset the account. Use Sandbox test credentials to avoid this.
    </Warning>
  </Step>

  <Step title="Implement Link Flow">
    Set up the authentication flow to connect OnlyFans accounts:

    ```javascript theme={null}
    // Initialize a Link session
    const response = await fetch("https://api.ofauth.com/v2/link/init", {
      method: "POST",
      headers: {
        apikey: "YOUR_API_KEY",
        "Content-Type": "application/json"
      },
      body: JSON.stringify({
        redirectUrl: "https://yourapp.com/callback",
        clientReferenceId: "your_internal_user_id"
      })
    });

    const session = await response.json();
    if (session.mode !== "hosted") {
      throw new Error(`Expected hosted Link session, received ${session.mode}`);
    }
    // Redirect user to `session.url`
    ```
  </Step>

  <Step title="Handle System Webhook Events">
    Process incoming webhooks to store connection IDs:

    ```javascript theme={null}
    app.post("/webhooks/ofauth", async (req, res) => {
      const { type, data } = req.body;
      
      if (type === "connection.created") {
        await db.users.update({
          where: { id: data.clientReferenceId },
          data: { connectionId: data.connection.id }
        });
      }
      
      res.status(200).send("ok");
    });
    ```
  </Step>

  <Step title="Store Connection IDs Securely">
    Treat connection IDs like credentials—store them encrypted in your database.
  </Step>
</Steps>

***

## Pre-Production Checklist

<Check>API key works with test requests</Check>
<Check>Link flow completes successfully in Sandbox</Check>
<Check>System Webhook Events are being received and processed</Check>
<Check>Connection IDs are stored and retrievable</Check>
<Check>Access API calls work with stored connection IDs</Check>

### Error Handling

Ensure your integration handles these scenarios:

| Scenario                          | Your Response                                       |
| --------------------------------- | --------------------------------------------------- |
| `SESSION_EXPIRED` error           | Prompt user to re-authenticate via Link             |
| `RATE_LIMIT_EXCEEDED` error       | Implement exponential backoff                       |
| `connection.expired` webhook      | Notify user, initiate re-auth flow                  |
| `connection.disconnected` webhook | Stop API access and remove local connection mapping |
| Network/timeout errors            | Retry with backoff                                  |

### Session Expiration Flow

```javascript theme={null}
async function handleOFAuthRequest(endpoint, options) {
  const response = await fetch(`https://api.ofauth.com${endpoint}`, {
    ...options,
    headers: {
      apikey: process.env.OFAUTH_API_KEY,
      "x-connection-id": connectionId,
      ...options.headers
    }
  });
  
  if (!response.ok) {
    const error = await response.json();
    
    if (error.type === "SESSION_EXPIRED") {
      // Mark connection as needing re-auth
      await markConnectionExpired(connectionId);
      // Notify user
      await notifyUserReauthRequired(userId);
      throw new ReAuthRequiredError();
    }
    
    throw new OFAuthError(error);
  }
  
  return response.json();
}
```

***

## Go Live Checklist

<Steps>
  <Step title="Switch to Production API Key">
    Replace your Sandbox API key with your production key.

    <Info>
      Production and Sandbox use the same API endpoints. The environment is determined by your API key.
    </Info>
  </Step>

  <Step title="Verify Webhook Signatures">
    Ensure you're validating webhook signatures in production:

    ```javascript theme={null}
    const crypto = require("crypto");

    function verifyWebhook(payload, signature, secret) {
      const [timestamp, hash] = signature.split(",").map(p => p.split("=")[1]);
      const expected = crypto
        .createHmac("sha256", secret)
        .update(`${timestamp}.${payload}`)
        .digest("hex");
      return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(expected));
    }
    ```
  </Step>

  <Step title="Set Up Monitoring">
    Monitor for:

    * Webhook delivery failures
    * Rate limit warnings
    * Session expiration rates
    * API error rates
  </Step>

  <Step title="Document for Your Users">
    Create user-facing documentation explaining:

    * Why you need OnlyFans access
    * What data you'll access
    * How to disconnect their account
  </Step>
</Steps>

***

## Quick Reference

### Required Headers

| Header            | Value                               | Required           |
| ----------------- | ----------------------------------- | ------------------ |
| `apikey`          | Your OFAuth API key                 | Always             |
| `x-connection-id` | Connection ID (e.g., `conn_abc123`) | For Access API     |
| `Content-Type`    | `application/json`                  | For POST/PUT/PATCH |

### Key Endpoints

| Purpose          | Endpoint                      |
| ---------------- | ----------------------------- |
| Verify API key   | `GET /v2/account/whoami`      |
| Start auth flow  | `POST /v2/link/init`          |
| List connections | `GET /v2/account/connections` |
| Get user profile | `GET /v2/access/self`         |
| List subscribers | `GET /v2/access/subscribers`  |

### Webhook Events

| Event                     | When                                       |
| ------------------------- | ------------------------------------------ |
| `connection.created`      | User completes authentication              |
| `connection.updated`      | Connection details change                  |
| `connection.expired`      | Session expires or is invalidated          |
| `connection.disconnected` | Connection is deleted and cannot reconnect |

***

## Need Help?

<CardGroup cols={2}>
  <Card title="Quickstart Guide" icon="rocket" href="/quickstart">
    Get your first API call working
  </Card>

  <Card title="Error Handling" icon="triangle-exclamation" href="/reference/error-handling">
    Handle errors gracefully
  </Card>

  <Card title="Sandbox Environment" icon="flask" href="/setup/sandbox">
    Test safely without affecting real accounts
  </Card>

  <Card title="Contact Support" icon="envelope" href="mailto:support@ofauth.com">
    Get help from our team
  </Card>
</CardGroup>
