OnlyFans API

Protecting your webhooks

It is recommended to validate incoming webhook requests to ensure that they originate from OnlyFans API, and not from a malicious actor. You can do this by verifying the `Signature` header in the request.

You can choose any signing secret, but it is recommended to use a long, random string.

How the signature is calculated

We calculate the signature using the HMAC SHA256 algorithm. The payload (as json) is the string, and the signing secret is the key.

Verifying the signature

Below you can find examples of how to verify the signature in different programming languages.

$computedSignature = hash_hmac('sha256', $requestContent, $signingSecret);
import hmac
import hashlib

computed_signature = hmac.new(signing_secret.encode(), request_content.encode(), hashlib.sha256).hexdigest()
const crypto = require('crypto');

const computedSignature = crypto
    .createHmac('sha256', signingSecret)
    .update(requestContent)
    .digest('hex');
package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
)

func main() {
    signingSecret := []byte("your_signing_secret")
    requestContent := []byte("your_request_content")

    h := hmac.New(sha256.New, signingSecret)
    h.Write(requestContent)
    computedSignature := hex.EncodeToString(h.Sum(nil))

    // Use `computedSignature` as needed
}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import java.nio.charset.StandardCharsets;

public class HmacSha256Example {
    public static void main(String[] args) throws Exception {
        String signingSecret = "your_signing_secret";
        String requestContent = "your_request_content";

        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKeySpec = new SecretKeySpec(signingSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
        mac.init(secretKeySpec);

        byte[] hmacBytes = mac.doFinal(requestContent.getBytes(StandardCharsets.UTF_8));
        String computedSignature = bytesToHex(hmacBytes);

        // Use `computedSignature` as needed
    }

    private static String bytesToHex(byte[] bytes) {
        StringBuilder hexString = new StringBuilder();
        for (byte b : bytes) {
            String hex = Integer.toHexString(0xff & b);
            if (hex.length() == 1) {
                hexString.append('0');
            }
            hexString.append(hex);
        }
        return hexString.toString();
    }
}
require 'openssl'

computed_signature = OpenSSL::HMAC.hexdigest('sha256', signing_secret, request_content)

Subscribing to webhooks

Listen to events from your OnlyFans accounts on your webhook endpoint so your integration can automatically process data.

Available webhook events

A list of all available webhook events that you can subscribe to.