> ## Documentation Index
> Fetch the complete documentation index at: https://docs.onlyfansapi.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Embed in your app (/onlyfans-ai/mcp/embed)
## Who this is for
SaaS builders who already hold an OnlyFans API key and want to expose its tools to an LLM running inside their own product — chatbot, agent, copilot, batch worker, anything.
If you just want to chat with your OnlyFans accounts in Claude or ChatGPT, use the [Claude](/onlyfans-ai/mcp/claude) or [ChatGPT](/onlyfans-ai/mcp/chatgpt) install guides instead. This page is the **backend integration**, not the end-user setup.
## TL;DR
```
Authorization: Bearer ofapi_xxx_your_api_key
```
Pass your OnlyFans API key as a Bearer token to:
```
https://app.onlyfansapi.com/mcp/onlyfans-mcp
```
That is the entire authentication. There is no client registration, no callback URL, no PKCE, no token refresh.
The OAuth 2.1 flow that the server also supports is only relevant when a third-party MCP client (Claude Desktop, ChatGPT, Cursor) needs to authorize on behalf of one of your end users in a browser. When your backend is the caller, you skip all of it.
## Prerequisites
1. An [OnlyFans API account](https://app.onlyfansapi.com).
2. An API key generated at [app.onlyfansapi.com/api-keys](https://app.onlyfansapi.com/api-keys). The key is scoped to the team it was created in — all MCP tool calls run as that team.
3. At least one [connected OnlyFans account](/introduction/guides/connect-onlyfans-account) (`acct_…`) on that team. Most tools require an `account` parameter to identify which account to act on.
If your product is multi-tenant and each customer has their own OnlyFans API team, generate **one API key per customer team** and store it against your internal customer record. Do not share a single key across tenants.
## Anthropic Messages API
Anthropic's Messages API supports remote MCP servers directly. Pass the server URL and your OnlyFans API key as `authorization_token`.
```bash
curl https://api.anthropic.com/v1/messages \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "content-type: application/json" \
-d '{
"model": "claude-opus-4-7",
"max_tokens": 4096,
"mcp_servers": [{
"type": "url",
"url": "https://app.onlyfansapi.com/mcp/onlyfans-mcp",
"name": "onlyfans",
"authorization_token": "ofapi_xxx_your_api_key"
}],
"messages": [
{ "role": "user", "content": "List the accounts on my team." }
]
}'
```
The model sees the MCP tool list, decides which tools to call, and the Anthropic platform handles the JSON-RPC dance with our server. Tool calls and results are returned inline in the response.
Notes:
* `name` is a label that shows up in `tool_use` blocks. Pick something stable.
* `authorization_token` is sent to our server as `Authorization: Bearer {value}`. **Do not include the word `Bearer` in the value.**
* The MCP beta header may be required on some Anthropic accounts. Check Anthropic's current MCP connector documentation.
## OpenAI Responses API
OpenAI's Responses API exposes remote MCP servers as a tool of `type: "mcp"`.
```bash
curl https://api.openai.com/v1/responses \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-H "content-type: application/json" \
-d '{
"model": "gpt-5",
"tools": [{
"type": "mcp",
"server_label": "onlyfans",
"server_url": "https://app.onlyfansapi.com/mcp/onlyfans-mcp",
"headers": {
"Authorization": "Bearer ofapi_xxx_your_api_key"
}
}],
"input": "List the accounts on my team."
}'
```
The exact field name for custom auth headers on OpenAI's MCP tool has shifted during the feature's rollout. Check OpenAI's current Responses API MCP reference before shipping. The semantics are identical: relay `Authorization: Bearer …` to our server on every tool call.
## Direct JSON-RPC
If you're running an agent loop yourself — without going through Anthropic or OpenAI's hosted tool execution — you can speak JSON-RPC to the MCP server directly. The transport is the standard MCP streamable HTTP.
```http
POST /mcp/onlyfans-mcp HTTP/1.1
Host: app.onlyfansapi.com
Authorization: Bearer ofapi_xxx_your_api_key
Accept: application/json, text/event-stream
Content-Type: application/json
{
"jsonrpc": "2.0",
"method": "initialize",
"id": 1,
"params": {
"protocolVersion": "2025-06-18",
"capabilities": {},
"clientInfo": { "name": "your-product", "version": "1.0.0" }
}
}
```
Standard MCP methods are available: `initialize`, `tools/list`, `tools/call`, `notifications/initialized`. Pagination is supported on `tools/list` with a default page size of 500 and a max of 1000.
## Per-request scoping
The API key fixes the **team**. Most tools additionally take an `account` parameter (format `acct_XXXXXXXXXXXXXXX`) to choose which connected OnlyFans account to act on.
The model will ask the user or call a discovery tool (e.g. `list_accounts`) to figure this out. If your product already knows which account the current chat is about, pin it in the system prompt:
```
Use account acct_XXXXXXXXXXXXXXX for all tool calls unless the user specifies otherwise.
```
## Tool surface
The MCP server auto-generates one tool per documented OnlyFans API endpoint. The full list is returned by `tools/list`. Annotations follow the MCP conventions:
* `GET` endpoints have `readOnlyHint: true`.
* `PUT` and `PATCH` endpoints have `idempotentHint: true`.
* `DELETE` endpoints have `destructiveHint: true`.
If your LLM context budget is tight, prune the tool surface client-side before sending it to the model. Anthropic's connector and OpenAI's Responses MCP tool both support filtering tools at the request level — check the platform documentation for the exact field name.
## Rate limits
| Route | Limit |
| ------------------- | ------------------- |
| `/mcp/onlyfans-mcp` | 120 requests/minute |
A single LLM turn may produce multiple tool calls, each of which is one MCP request. Budget accordingly when planning agentic loops.
## Errors
| Status | Meaning | Fix |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------- |
| `401 invalid_token` | Bearer token missing, malformed, or revoked. | Check the `Authorization` header. Regenerate the key if rotated. |
| `401 token_not_pinned` | You're authenticating with an OAuth access token that has no team binding. Should not happen with a plain API key. | Use an API key, not an OAuth token, or re-authorize. |
| `403` | Scope is fine but the requested resource belongs to a different team, or the account is not connected. | Confirm `account` belongs to the key's team. |
| `429` | Rate limit. | Back off, respect `Retry-After`. |
The `invalid_client` error that some teams hit when getting started is an **OAuth** error, not an API error. It means you're sending requests to `/oauth/token` with a `client_id` that does not exist. You do not need to call `/oauth/token` at all in this integration pattern. Talk only to `/mcp/onlyfans-mcp` and pass the API key directly.
## Security checklist
1. **Store API keys server-side only.** Never ship them to the browser, even for authenticated users.
2. **One API key per customer team.** Do not let tenant A's chatbot call tools that resolve against tenant B's accounts.
3. **Treat MCP tool calls like any other API call** from your product. Log them, rate-limit them per customer, and surface failures to the end user.
4. **Rotate keys when staff with access leaves.** There's no separate revoke per session — revocation is at the key level.
5. **Scope prompts so the LLM can't escalate** beyond the customer's own accounts (system prompt, allowed `account` IDs, etc.). The API enforces team isolation, but defense in depth is cheap.
## See also
* [OnlyFans MCP overview](/onlyfans-ai/mcp) — what MCP is, how it works, and supported clients
* [Claude MCP install guide](/onlyfans-ai/mcp/claude)
* [ChatGPT MCP install guide](/onlyfans-ai/mcp/chatgpt)
* [Manus MCP install guide](/onlyfans-ai/mcp/manus)
* [Develop with AI Agents](/introduction/guides/develop-with-ai-agents) — `llms.txt`, OpenAPI schema, `onlyfansapi-skill`
* [API Reference](/api-reference) — every endpoint exposed as an MCP tool