Browser is built with security at every layer. Here is how your creator accounts and data are protected.
Browser uses a two-step authentication process:
Substy authentication: When you launch Browser, your identity is verified through your Substy (Clerk) login. Only users with the Admin role in your organization can access Browser.
Session cookie: After verification, a secure, encrypted cookie is issued that is scoped specifically to your session. This cookie is HttpOnly (cannot be read by JavaScript), Secure (only sent over HTTPS), and tied to the exact session URL path.
Each session is tied to a single creator. You cannot access a different creator's OnlyFans through the same session.
Sessions are scoped to your organization. A user from a different organization cannot access your sessions, even if they have the session URL.
Session tokens are random UUIDs that cannot be guessed or predicted.
Your creator's OnlyFans login credentials are never sent to your browser. All OnlyFans API calls are authenticated and signed server-side by Substy's infrastructure. The browser only sees the proxied responses.
Only organization admins can create, access, or manage Browser sessions. Employees with non-admin roles will not see the Browser option and cannot use session URLs even if shared with them.
Sessions expire automatically after 4 hours. There is no way for a session to persist indefinitely. If you suspect a session has been compromised, you can revoke it immediately from the dashboard.
