API keys
- Issue separate keys per environment (development, staging, production).
- Use scopes so a leaked key cannot do more than its role requires.
- Rotate keys on a schedule and immediately after any suspected leak.
- Never embed keys in client-side apps, public repos, or agent prompts.
Connected accounts
- Store account
idreferences server-side; do not expose raw cookies or x-bc values to browsers or third parties. - Prefer mobile / embed connect when you should not handle creator passwords at all.
- Revoke or delete accounts you no longer need via the Accounts API.
Logging and observability
- Do not log full request or response bodies in production — they contain session headers and message content.
- Redact
Authorization,Cookie, and signing headers in debug traces. - Surface structured errors to operators; avoid dumping upstream OnlyFans payloads into user-visible UI.
Network
- Route OnlyFans traffic through a stable proxy per account when using the SDK directly. Fingerprint consistency matters more than rotating IPs.
- Terminate TLS at your edge for webhooks; verify webhook signatures before processing payloads.