Scopes - onlyfanskit

Every API key carries a set of scopes. A key can only ever be minted with a subset of the scopes its creator holds, so you can build least-privilege keys for automations.

Runtime scopes

Scope	Grants
`accounts:read`	List and fetch your own connected accounts.
`accounts:write`	Connect and disconnect accounts.
`sdk:call`	Invoke any SDK method against an owned account.
`webhooks:read`	Read webhook configuration.
`webhooks:write`	Set, delete, and test webhooks.

Self-service scopes

Scope	Grants
`me:read`	Read your org and list your keys.
`me:write`	Update org contact info, mint and revoke keys.
`usage:read`	Read usage counters and rate-limit windows.

Default set

Customer keys without an explicit scope list get the everyday set:

accounts:read  accounts:write  sdk:call
webhooks:read  webhooks:write
me:read        me:write        usage:read

Mint a narrower key by passing scopes when creating it:

curl -X POST https://api.onlyfanskit.dev/v1/me/keys \
  -H "Authorization: Bearer $OFK_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "label": "read-only metrics", "scopes": ["accounts:read", "sdk:call", "usage:read"] }'

Admin scopes (admin:*) are only ever granted on internal tokens, never on customer keys.

Checking your scopes

GET /v1/me returns the scopes on the calling key. A call that needs a scope you don’t hold returns 403 with a problem body naming the missing scope.

Documentation Index

​Runtime scopes

​Self-service scopes

​Default set

​Checking your scopes

Runtime scopes

Self-service scopes

Default set

Checking your scopes