Connection lost. Reconnecting...
Back to Docs

Direct OnlyFans Integration

OnlyFans started signing their API requests in 2021 and we were the first to identify and open source the method. We've been reliably extracting this signature data for years.

The algorithm has remained unchanged since then, only with periodic key rotations. The signature data changes every time they roll out a site update (usually once or twice a day), though older versions often continue to work anywhere from weeks to months before they disable them.

This endpoint makes our internal data available for custom integrations. While we rely on this data for our own operations, this endpoint is provided on a best-effort basis without official support.

Get Signature Data

Retrieves the current signature data, including the secret, checksum, and validation status. This can be used if you're building your own integration with the OnlyFans API rather than using ours.

Response Fields

  • safe boolean

    Whether our signature data matches the live service version

  • sign.checksum.indices number[]

    Array of indices for checksum calculation

  • sign.checksum.constant number

    Constant value added to checksum

  • sign.secret string

    The cryptographic secret for generating signatures

  • sign.version string

    Current version identifier

  • sign.version_ts string

    Version timestamp in hex format

  • sign.revision string

    Revision number

Request GET /v1/onlyfans/signature-config
curl https://thotbot.cc/v1/onlyfans/signature-config \
  -H "Authorization: Bearer thot_ak_..."
Response
{
  "safe": true,
  "sign": {
    "checksum": {
      "indices": [72, 73, 80, 80, 79, ...],
      "constant": -123
    },
    "secret": "kYaKAGvzyW4hgLT9TVuV1p0td9CF3SbS8vqNkUdRuc",
    "version": "69420",
    "version_ts": "3b9e04b8",
    "revision": "200109110846-6ec0e97b1e"
  }
}

Signing Requests

You can use the data returned from this endpoint to generate signatures for direct requests to the OnlyFans API.

Caching tip: The signing data only changes once or twice a day. Consider caching it for up to 24 hours instead of fetching it for every request.
(Old keys usually still work for a while, but consider that a real browser will probably refresh the page within a few days and start using new keys - so caching any longer than that isn't recommended)

Algorithm

  1. Prepare Data
    • secret - The secret from the response
    • time - Current timestamp in milliseconds
    • path - The request URI path and query string (e.g., /api2/v2/posts?limit=100)
    • userid - The user ID of your OnlyFans account
  2. Generate Hash

    Construct a string using the format below and calculate its SHA1 hash (as a hex string):

    [secret]\n[time]\n[path]\n[userid]
  3. Calculate Checksum

    Using the indices list and constant from the response:

    • Iterate through the indices. For each index, add the ASCII value of the character at that position in the SHA1 hex string to sum.
    • Add the constant value to sum.
    • The final checksum is the hexadecimal representation of the absolute value of sum.
  4. Format Signature

    Construct the final signature string:

    version:sha1_hash:checksum:version_ts

Javascript Example

Here's a reference implementation showing how to generate a signature:

Signature Generation
const userId = '123456789';
const path = '/api2/v2/posts?limit=100';
const time = Date.now();

// Generate hash
const payload = [secret, time, path, userId].join('\n');
const hash = crypto.createHash('sha1').update(payload).digest('hex');

// Calculate checksum
const sum = checksum.indices.reduce((acc, idx) => {
  return acc + hash.charCodeAt(idx);
}, 0) + checksum.constant;
const checksum = Math.abs(sum).toString(16);

// Format signature
const signature = `${version}:${hash}:${checksum}:${version_ts}`;