Skip to main content
It is recommended to validate incoming webhook requests to ensure that they originate from OnlyFans API, and not from a malicious actor. You can do this by verifying the Signature header in the request.
You can choose any signing secret, but it is recommended to use a long, random string.

How the signature is calculated

We calculate the signature using the HMAC SHA256 algorithm. The payload (as json) is the string, and the signing secret is the key.

Verifying the signature

Below you can find examples of how to verify the signature in different programming languages. 
$computedSignature = hash_hmac('sha256', $requestContent, $signingSecret);