Skip to main content

Overview

The creator_profiles collection stores platform account configurations, encrypted credentials, and scraping status for connected creator accounts. Each profile represents a connection to a creator platform (OnlyFans, Fansly, etc.).

Purpose

  • Store encrypted platform credentials using AES-256-GCM server-side encryption
  • Track scraping status and last successful sync timestamps
  • Manage platform-specific configuration and authentication state
  • Link platform accounts to user personas for multi-platform management

Key Fields

Credential Encryption

Credentials are encrypted using server-side AES-256-GCM encryption before storage:
Security notes:
  • All encryption happens server-side only
  • Encryption key stored in CREDENTIALS_ENC_KEY_B64 environment variable
  • No encryption keys are ever sent to the browser
  • See server/utils/credentialsCrypto.js for implementation details

Example Queries

List All Creator Profiles

Get Single Profile

Update Scrape Status

Search Profiles by Platform

  • platform_sessions - Encrypted browser cookies from extension for authentication
  • media_jobs - Scraping jobs triggered for this profile
  • scraped_media - Content scraped from this profile
  • hitl_sessions - Human-in-the-loop login requests when scraping requires manual intervention

Workflow Integration

Profile Scraping Flow

  1. User connects platform via /app/platforms
  2. System checks for existing cookies in platform_sessions
  3. If cookies exist: Create media_jobs entry with type scrape_profile
  4. If no cookies: Create hitl_sessions entry and show yellow dashboard alert
  5. Media worker processes job using Stagehand browser automation
  6. Results stored in scraped_media, profile’s scrape_status updated

Credential Management

All credential encryption/decryption happens server-side:
  • Encryption endpoint: POST /api/credentials/encrypt
  • Decryption endpoint: POST /api/credentials/decrypt
  • Implementation: server/utils/credentialsCrypto.js
  • Format: Legacy string support + new object format {enc: "v1:..."}

Best Practices

  1. Never decrypt credentials in browser - All encryption operations are server-side only
  2. Check platform_sessions before scraping - Avoids unnecessary HITL requests
  3. Monitor scrape_status - Poll for job completion rather than blocking
  4. Respect rate limits - Use last_scraped_at to prevent over-scraping
  5. Validate platform field - Ensure platform is in supported list before creating profile

See Also