Docs
Login Kit with QR Code
If you are using our deprecated v1 endpoint for QR code authorizations, please migrate to our v2 endpoint immediately. Learn more.
Overview
This guide will explain how to integrate with the Login Kit to facilitate user authorization via QR code login. Once an authenticated user authorizes your app, you can access their basic TikTok profile data such as their display name and avatar. Additional data access may require approval for additional scopes. Learn more about scopes.
Prerequisites
Obtain a client key and client secret by logging into the TikTok for Developers website. Then go to the Manage apps page and select your app.
Security advisory: Verifying integrity using client_ticket
The client_ticket mentioned throughout this guide enables you to verify the data integrity of the response. While your app may still function even if you don't validate the client_ticket, doing so introduces security risks. Therefore, it is highly recommended that you always verify that the client_ticket matches the one generated by you, and reject any response where this validation fails as it may have been compromised by a malicious attacker.
Generating a client_ticket
Your client_ticket can be any series of characters, letters, or symbols, as long as it is URL safe and the URL-encoded version is under 512 characters. The generation method is at your discretion as there are no complexity requirements. You may reuse the same client_ticket, but some randomness is recommended for security. You should persist the ticket for the entirety of the QR code process as it will be needed when checking the validity of the QR status.
Integration
Your web app must implement the following functionality on the server side:
- Generate a QR code.
- Request a QR code URL (see the below sections for API guidance).
- Generate a
client_ticket. - Insert the client ticket into the QR code URL.
- Render the URL.
- Display it to the user.
- Repeatedly check the QR code status and refresh or disable it accordingly (see the below sections for API guidance).
- Parse the response for the provided authorization code once the QR code status is changed to
confirmed. - Request an access token and refresh token from TikTok using the authorization code and client key.
- Notify the user of authorization success or failure.
- Use the access token to fetch authorized user data, and use the refresh token to extend the access token's expiration time.
For more information on access and refresh tokens, see Manage User Access Tokens.
Get QR Code
POSThttps://open.tiktokapis.com/v2/oauth/get_qrcode/
Description
Request a QR code from TikTok.
Header
Key | Value |
Content-Type | application/x-www-form-urlencoded |
Request
Key | Type | Description | Example | Required |
client_key | string | The unique identification key provisioned to the partner | aw7nk86b7czitwc9 | true |
scope | string | A comma-separated list (,) of the scopes the user has agreed to authorize | user.info.basic,video.list | true |
state | string | The state is used to maintain the state of your request and callback. This value will be included when redirecting the user back to the client. Check if the state returned in the callback matches what you sent earlier to prevent cross-site request forgery. The state can also include customized parameters that you want TikTok service to return. | key%3Dabc%26key2%3Ddef | false |
Example request
curl --location --request POST 'https://open.tiktokapis.com/v2/oauth/get_qrcode/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_key=aw7nk86b7czitwc9' \
--data-urlencode 'scope=user.info.basic,user.info.username' \
--data-urlencode 'state=key%3Dabc%26key2%3Ddef'Response
Key | Type | Description | Example |
scan_qrcode_url | string | QR code url which is returned when the call is successful | aweme://authorize?authType=100&client_key=abcd1234&client_ticket=tobefilled&... |
token | string | Token used to check QR code status, returned when the call is successful | VJ5JCKGJGRSWNMFWHQH4W5NKY943Q97D |
error | string | If this field is set, it means that the current user is not eligible for using third-party login or authorization. The partner is responsible for handling the error . | invalid_request |
error_description | string | If this field is set, it will be a human-readable description about the error | The request parameters are malformed. |
log_id | string | If this field is set, it will be a log ID for troubleshooting | 202206221854370101130062072500FFA2 |
A successful response will include the scan_qrcode_url and token fields. Once obtained, please perform the following steps:
- Extract the
scan_qrcode_url. - Generate a unique ticket using your preferred approach, such as an alphanumeric string such as
2ncv7awq. Persist this ticket alongside your service. - In the previously extracted
scan_qrcode_url, replace the value of theclient_ticketquery parameter with your ticket. For example,scan_qrcode_url=...&client_ticket=tobefilled&...should be replaced byscan_qrcode_url=...&client_ticket=your_ticket&.... - Use the modified
scan_qrcode_urlto generate a QR code. - Display the QR code to your user.
Example response
Success
{
"scan_qrcode_url": "aweme://authorize?authType=100&client_key=abcd1234&client_ticket=tobefilled&...",
"token": "VJ5JCKGJGRSWNMFWHQH4W5NKY943Q97D..."
}
Failure
{
"error": "invalid_request",
"error_description": "The request parameters are malformed.",
"log_id": "202206221854370101130062072500FFA2"
}
Check QR code status
POSThttps://open.tiktokapis.com/v2/oauth/check_qrcode/
Description
Check the QR code status. Call with polling after the get_qrcode endpoint has been successfully called.
Header
Key | Value |
Content-Type | application/x-www-form-urlencoded |
Request
Key | Type | Description | Example | Required |
client_key | string | The unique identification key provisioned to the partner | aw7nk86b7czitwc9 | true |
client_secret | string | The unique identification secret provisioned to the partner | 123fnaoif12n3ij | true |
token | string | Token obtained along with QR code | VJ5JCKGJGRSWNMFWHQH4W5NKY943Q97D | true |
Example request
curl --location --request POST 'https://open.tiktokapis.com/v2/oauth/check_qrcode/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_key=aw7nk86b7czitwc9' \
--data-urlencode 'token=VJ5JCKGJGRSWNMFWHQH4W5NKY943Q97D' \
--data-urlencode 'client_secret=123fnaoif12n3ij'Response
Key | Type | Description | Example |
client_ticket | string | A string, which is generate in user's service. This is returned when the call is successful. | client_ticket="A23SDWEGsdasd" |
status | string | QR code status | new | expired | scanned | confirmed |
code | string | Authorization code, returned when the status is confirmed | https://callback.example.com?code=HOXbXtnAok4qojdOmsHjucm1V1KJrOjYuMnV |
state | string | The "state" parameter which is sent in /v2/oauth/get_qrcode/. It is returned when the status is confirmed. | key%3D123 |
error | string | If this field is set, it means that the current user is not eligible for using third-party login or authorization. The partner is responsible for handling the error gracefully. | invalid_request |
error_description | string | If this field is set, it will be a human-readable description about the error | The request parameters are malformed. |
log_id | string | If this field is set, it will be a log ID for trouble shooting | 202206221854370101130062072500FFA2 |
When the call succeeds, please perform the following steps:
- Validate the
client_ticketto make sure it matches what you provided in your generated ticket for the request. If they do not match, ignore the response as its integrity may be compromised. - Check that the status is
confirmedand that the authorization code is appended in theredirect_uri. - If the status is not
confirmed, continue polling if the status is notexpired. If it isexpired, then re-invoke theget_qrcodeAPI.
Example response
Success
// A new generate QR code
{
"client_ticket": "",
"status": "new"
}
// A QR code scaned by the user
{
"client_ticket": "your_ticket_string",
"status": "scanned"
}
// A QR code confirmed by the user
{
"client_ticket": "your_ticket_string",
"redirect_uri": "https://example.com?code=example_code",
"status": "confirmed"
}
// An expired QR code
{
"client_ticket": "",
"status": "expired"
}
Failure
{
"error": "invalid_request",
"error_description": "The request parameters are malformed.",
"log_id": "202206221854370101130062072500FFA2"
}