Embed in your app
Expose the OnlyFans MCP server to an LLM running inside your own SaaS product — chatbot, agent, copilot, or batch worker — using your API keys.
Who this is for
SaaS builders who already hold an OnlyFans API key and want to expose its tools to an LLM running inside their own product — chatbot, agent, copilot, batch worker, anything.
If you just want to chat with your OnlyFans accounts in Claude or ChatGPT, use the Claude or ChatGPT install guides instead. This page is the backend integration, not the end-user setup.
TL;DR
Authorization: Bearer ofapi_xxx_your_api_keyPass your OnlyFans API key as a Bearer token to:
https://app.onlyfansapi.com/mcp/onlyfans-mcpThat is the entire authentication. There is no client registration, no callback URL, no PKCE, no token refresh.
The OAuth 2.1 flow that the server also supports is only relevant when a third-party MCP client (Claude Desktop, ChatGPT, Cursor) needs to authorize on behalf of one of your end users in a browser. When your backend is the caller, you skip all of it.
Prerequisites
- An OnlyFans API account.
- An API key generated at app.onlyfansapi.com/api-keys. The key is scoped to the team it was created in — all MCP tool calls run as that team.
- At least one connected OnlyFans account (
acct_…) on that team. Most tools require anaccountparameter to identify which account to act on.
If your product is multi-tenant and each customer has their own OnlyFans API team, generate one API key per customer team and store it against your internal customer record. Do not share a single key across tenants.
Anthropic Messages API
Anthropic's Messages API supports remote MCP servers directly. Pass the server URL and your OnlyFans API key as authorization_token.
curl https://api.anthropic.com/v1/messages \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "content-type: application/json" \
-d '{
"model": "claude-opus-4-7",
"max_tokens": 4096,
"mcp_servers": [{
"type": "url",
"url": "https://app.onlyfansapi.com/mcp/onlyfans-mcp",
"name": "onlyfans",
"authorization_token": "ofapi_xxx_your_api_key"
}],
"messages": [
{ "role": "user", "content": "List the accounts on my team." }
]
}'The model sees the MCP tool list, decides which tools to call, and the Anthropic platform handles the JSON-RPC dance with our server. Tool calls and results are returned inline in the response.
Notes:
nameis a label that shows up intool_useblocks. Pick something stable.authorization_tokenis sent to our server asAuthorization: Bearer {value}. Do not include the wordBearerin the value.- The MCP beta header may be required on some Anthropic accounts. Check Anthropic's current MCP connector documentation.
OpenAI Responses API
OpenAI's Responses API exposes remote MCP servers as a tool of type: "mcp".
curl https://api.openai.com/v1/responses \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-H "content-type: application/json" \
-d '{
"model": "gpt-5",
"tools": [{
"type": "mcp",
"server_label": "onlyfans",
"server_url": "https://app.onlyfansapi.com/mcp/onlyfans-mcp",
"headers": {
"Authorization": "Bearer ofapi_xxx_your_api_key"
}
}],
"input": "List the accounts on my team."
}'The exact field name for custom auth headers on OpenAI's MCP tool has shifted during the feature's rollout. Check OpenAI's current Responses API MCP reference before shipping. The semantics are identical: relay Authorization: Bearer … to our server on every tool call.
Direct JSON-RPC
If you're running an agent loop yourself — without going through Anthropic or OpenAI's hosted tool execution — you can speak JSON-RPC to the MCP server directly. The transport is the standard MCP streamable HTTP.
POST /mcp/onlyfans-mcp HTTP/1.1
Host: app.onlyfansapi.com
Authorization: Bearer ofapi_xxx_your_api_key
Accept: application/json, text/event-stream
Content-Type: application/json
{
"jsonrpc": "2.0",
"method": "initialize",
"id": 1,
"params": {
"protocolVersion": "2025-06-18",
"capabilities": {},
"clientInfo": { "name": "your-product", "version": "1.0.0" }
}
}Standard MCP methods are available: initialize, tools/list, tools/call, notifications/initialized. Pagination is supported on tools/list with a default page size of 500 and a max of 1000.
Per-request scoping
The API key fixes the team. Most tools additionally take an account parameter (format acct_XXXXXXXXXXXXXXX) to choose which connected OnlyFans account to act on.
The model will ask the user or call a discovery tool (e.g. list_accounts) to figure this out. If your product already knows which account the current chat is about, pin it in the system prompt:
Use account acct_XXXXXXXXXXXXXXX for all tool calls unless the user specifies otherwise.Tool surface
The MCP server auto-generates one tool per documented OnlyFans API endpoint. The full list is returned by tools/list. Annotations follow the MCP conventions:
GETendpoints havereadOnlyHint: true.PUTandPATCHendpoints haveidempotentHint: true.DELETEendpoints havedestructiveHint: true.
If your LLM context budget is tight, prune the tool surface client-side before sending it to the model. Anthropic's connector and OpenAI's Responses MCP tool both support filtering tools at the request level — check the platform documentation for the exact field name.
Rate limits
| Route | Limit |
|---|---|
/mcp/onlyfans-mcp | 120 requests/minute |
A single LLM turn may produce multiple tool calls, each of which is one MCP request. Budget accordingly when planning agentic loops.
Errors
| Status | Meaning | Fix |
|---|---|---|
401 invalid_token | Bearer token missing, malformed, or revoked. | Check the Authorization header. Regenerate the key if rotated. |
401 token_not_pinned | You're authenticating with an OAuth access token that has no team binding. Should not happen with a plain API key. | Use an API key, not an OAuth token, or re-authorize. |
403 | Scope is fine but the requested resource belongs to a different team, or the account is not connected. | Confirm account belongs to the key's team. |
429 | Rate limit. | Back off, respect Retry-After. |
The invalid_client error that some teams hit when getting started is an OAuth error, not an API error. It means you're sending requests to /oauth/token with a client_id that does not exist. You do not need to call /oauth/token at all in this integration pattern. Talk only to /mcp/onlyfans-mcp and pass the API key directly.
Security checklist
- Store API keys server-side only. Never ship them to the browser, even for authenticated users.
- One API key per customer team. Do not let tenant A's chatbot call tools that resolve against tenant B's accounts.
- Treat MCP tool calls like any other API call from your product. Log them, rate-limit them per customer, and surface failures to the end user.
- Rotate keys when staff with access leaves. There's no separate revoke per session — revocation is at the key level.
- Scope prompts so the LLM can't escalate beyond the customer's own accounts (system prompt, allowed
accountIDs, etc.). The API enforces team isolation, but defense in depth is cheap.
See also
- OnlyFans MCP overview — what MCP is, how it works, and supported clients
- Claude MCP install guide
- ChatGPT MCP install guide
- Manus MCP install guide
- Develop with AI Agents —
llms.txt, OpenAPI schema,onlyfansapi-skill - API Reference — every endpoint exposed as an MCP tool