Docs
Endpoints
1. Fetch an access token using an authorization code
Once the authorization code callback is handled, you can use the code to retrieve the user's access token.
Endpoint
POST https://open.tiktokapis.com/v2/oauth/token/
Headers
Key | Value |
Content-Type | application/x-www-form-urlencoded |
Request body parameters
Key | Type | Description |
client_key | string | The unique identification key provisioned to the partner. |
client_secret | string | The unique identification secret provisioned to the partner. |
code | string | The authorization code from the web, iOS, Android or desktop authorization callback. The value should be URL decoded. |
grant_type | string | Its value should always be set as |
redirect_uri | string | Its value must be the same as the |
code_verifier | string | Required for mobile and desktop app only. Code verifier is used to generate code challenge in PKCE authorization flow. |
Response struct
Key | Type | Description |
open_id | string | The TikTok user's unique identifier. |
scope | string | A comma-separated list (,) of the scopes the user has agreed to authorize. |
access_token | string | The access token for future calls on behalf of the user. |
expires_in | int64 | The expiration of |
refresh_token | string | The token to refresh |
refresh_expires_in | int64 | The expiration of |
token_type | string | The value should be |
Make sure to store these values on your back end as they are needed to persist access.
Example
curl --location --request POST 'https://open.tiktokapis.com/v2/oauth/token/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cache-Control: no-cache' \
--data-urlencode 'client_key=CLIENT_KEY' \
--data-urlencode 'client_secret=CLIENT_SECRET' \
--data-urlencode 'code=CODE' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=REDIRECT_URI'If the request is successful, the response will look like the following.
{
"access_token": "act.example12345Example12345Example",
"expires_in": 86400,
"open_id": "afd97af1-b87b-48b9-ac98-410aghda5344",
"refresh_expires_in": 31536000,
"refresh_token": "rft.example12345Example12345Example",
"scope": "user.info.basic,video.list",
"token_type": "Bearer"
}If the request is not successful, an error response body will be returned in the response, like the following.
{
"error": "invalid_request",
"error_description": "Redirect_uri is not matched with the uri when requesting code.",
"log_id": "202206221854370101130062072500FFA2"
}2. Refresh an access token using a refresh token
Although the fetched access_token expires within 24 hours, it can be refreshed without user consent. The developer's back-end server can schedule background jobs to keep tokens up to date.
Endpoint
POST https://open.tiktokapis.com/v2/oauth/token/
Headers
Key | Value |
Content-Type | application/x-www-form-urlencoded |
Request body parameters
Key | Type | Description |
client_key | string | The unique identification key provisioned to the partner. |
client_secret | string | The unique identification secret provisioned to the partner. |
grant_type | string | Its value should always be set as |
refresh_token | string | The user's refresh token. |
Response struct
Key | Type | Description |
open_id | string | The partner-facing user ID. |
scope | string | A comma-separated list (,) of the scopes the user has agreed to authorize. |
access_token | string | The new token for future calls on behalf of the user. |
expires_in | int64 | The expiration of the access token in seconds. |
refresh_token | string | The token to refresh a user's Note: The returned |
refresh_expires_in | int64 | The expiration for |
token_type | string | The value should be |
Make sure to store these values on your back end as they are needed to persist access.
Example
curl --location --request POST 'https://open.tiktokapis.com/v2/oauth/token/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cache-Control: no-cache' \
--data-urlencode 'client_key=CLIENT_KEY' \
--data-urlencode 'client_secret=CLIENT_SECRET' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=REFRESH_TOKEN'If the request is successful, the response will look like the following.
{
"access_token": "act.example12345Example12345Example",
"expires_in": 86400,
"open_id": "asdf-12345c-1a2s3d-ac98-asdf123as12as34",
"refresh_expires_in": 31536000,
"refresh_token": "rft.example12345Example12345Example",
"scope": "user.info.basic,video.list",
"token_type": "Bearer"
}If the request is not successful, an error response body will be returned in the response, like the following.
{
"error": "invalid_request",
"error_description": "The request parameters are malformed.",
"log_id": "202206221854370101130062072500FFA2"
}3. Revoke access
When a user wants to disconnect your application from TikTok, you can revoke their tokens so the user will no longer see your application on the Manage app permissions page of the TikTok for Developers website.
Endpoint
POST https://open.tiktokapis.com/v2/oauth/revoke/
Headers
Key | Value |
Content-Type | application/x-www-form-urlencoded |
Request body parameters
Key | Type | Description |
client_key | string | The unique identification key provisioned to the partner. |
client_secret | string | The unique identification secret provisioned to the partner. |
token | string | The |
Response struct
If the request is successful, the response struct will be empty.
Example
curl --location --request POST 'https://open.tiktokapis.com/v2/oauth/revoke/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cache-Control: no-cache' \
--data-urlencode 'client_key=CLIENT_KEY' \
--data-urlencode 'client_secret=CLIENT_SECRET' \
--data-urlencode 'token=ACCESS_TOKEN'If the request is not successful, an error response body will be returned in the response, like the following.
{
"error": "invalid_request",
"error_description": "The request parameters are malformed.",
"log_id": "202206221854370101130062072500FFA2"
}