Creator authorization guide
This guide is intended for
- apps that need to call Affiliate Creator APIs
- integrations that need creator-side affiliate data or capabilities
What does creator authorization do?
After creator authorization, the app can call Affiliate Creator APIs.
Core concept
Creator authorization means:a creator grants your TikTok Shop app access to creator-side data and capabilities, so that your app can call the relevant Creator Open APIs.
At its core, the flow is still OAuth-based:
- Build an authorization link
- Let the user log in and approve authorization
- Receive a callback with
code - Exchange the
codefor tokens - Use the token to call Creator APIs
Creator authorization is different from Seller authorization. A creator token and a seller token are different credentials and must not be reused interchangeably.
Prerequisites
Before starting Creator authorization, make sure the following are ready:
App-side prerequisites
- the app is created
- API access is enabled
- a valid Redirect URL is configured
- the required creator scopes are enabled or approved
- if the creator capability is still beta / allowlist based, the app is approved for that rollout
Creator-side prerequisites
the user is a real TikTok Shop creator, not just a regular TikTok account. The creator can enroll as a TikTok Shop creator by following the guides for the respective countries:
The creator's selection region must be one of the app's target markets:
If your app is in development, please contact your App Store Manager for a Creator testing account. Creator test accounts are only available to members of our beta phase today.
End-to-end authorization flow
A practical Creator authorization flow can be understood in 7 steps:
- prepare the app
- enable creator scopes
- build the creator authorization link
- let the creator sign in and authorize
- receive
codeandstateon the Redirect URL - exchange the
auth_codeforaccess_token/refresh_token - call Creator Open APIs and validate
granted_scopes
Step 1: Prepare the app
In Partner Center, make sure you have:
- created the app / service
- enabled API access
- configured the Redirect URL
- obtained
app_key/app_secret - enabled the required creator scopes in Manage API
The Redirect URL is the callback destination after successful authorization. In production, it should be a real server-side endpoint that can validate the callback parameters, especially state.
Step 2: Enable creator scopes
These are the creator scopes enabled or approved in Partner Center.
APP & Service -> Manage API,look for scope keys that begin with creator. For example:
Step 3: Build the authorization link
The basic authorization link can be obtained from the Copy authorization link button.
For creator authorization links, you are required to manually add a state parameter for extra security. The state is an unguessable random string that can help protect cross-site request forgery attacks, and is not automatically included in the basic authorization link.
Please see the OpenID Connect documentation for an example of how to create and confirm a state. When encoding a state, remove leading and trailing white spaces.
Additionally, you may manually concatenate the entire authorization link by using your app_key and state.
The final authorization link should resemble:
PLAINWord Wrap
https://shop.tiktok.com/alliance/creator/auth?app_key={your_app_key}&state={your_state}
Parameters:
app_key: your application identifierstate: a security parameter that should be generated server-side
State best practices:
- generate it on the server side
- make it random and unpredictable
- bind it to the current authorization session
- validate it strictly on callback
- treat it as single-use to reduce replay risk
Do not embed passwords, tokens, or other sensitive data directly into state.
Step 4: Let the creator sign in and authorize
After opening the authorization link, the creator typically:
- signs in with the TikTok account
- enters the creator authorization page
- reviews the requested scopes
- if the authorization page supports partial authorization, the creator may toggle some scopes on or off (exact UI behavior to be verified)
- clicks Authorize
Engineering note: the creator may authorize only part of the requested scopes
This means authorization success does not automatically mean all required business scopes were granted.
Step 5: Handle the callback and retrieve the auth code
Official facts / interface constraints
After the creator approves authorization, the platform redirects back to your Redirect URL with a temporary code. Here code is the parameter name returned in the callback URL; when you call Get Access Token, pass that same value as auth_code (evidence anchor: the callback example in this section + the parameter list in Step 6).
A typical callback looks like this:
PLAINWord Wrap
{redirect_url}?code={CODE_FROM_CALLBACK}&state={state}
Recommended implementation / engineering best practices
Your callback handler should:
- read
code - read and validate
state - detect callback errors if the user denied authorization
- stop the flow if no valid
codeis returned
The auth_code should be treated as short-lived and usually single-use. Exchange it for tokens as soon as possible.
Step 6: Exchange the auth code for tokens
Official facts / interface constraints
Use the Get Access Token endpoint:
PLAINWord Wrap
GET https://auth.tiktok-shops.com/api/v2/token/get
Required parameters
app_keyapp_secretauth_code(use thecodereturned by the callback URL)grant_type=authorized_code
Key response fields
access_tokenrefresh_tokenopen_iduser_typegranted_scopes
Recommended implementation / engineering best practices: validate immediately after token exchange
Always verify:
code == 0user_type == 1granted_scopescovers the minimum scopes required by your business
If these checks fail, do not move directly into business API calls.
Step 7: Refresh the token
Official facts / interface constraints
When the access token expires, refresh it with:
PLAINWord Wrap
GET https://auth.tiktok-shops.com/api/v2/token/refresh
Required parameters
app_keyapp_secretrefresh_tokengrant_type=refresh_token
Recommended implementation / engineering best practices: after refreshing, re-check key fields
user_typeopen_idgranted_scopes
For safety, it is better not to assume the refreshed token behaves identically to the previous token. A safer engineering practice is to revalidate key fields whenever a new token is issued.
How to use granted_scopes properly
granted_scopes is one of the most important fields in Creator authorization.
Use it at two levels:
Level 1: right after authorization
Check whether the creator granted the minimum scopes your business requires.
Level 2: before feature execution
Before calling an endpoint, confirm that the required scope is included in granted_scopes.
Recommended uses
- if authorization succeeded but scopes are incomplete, prompt the creator to reauthorize
- if the API returns
105005, check both app scopes and tokengranted_scopes - if your product has multiple modules, maintain a scope-to-feature mapping
Partial authorization
Creators can opt in or out what scope to authorize. A creator may not approve all scopes in one pass; callback success does not by itself mean all business-required scopes are available (evidence anchor: the granted_scopes field in the token response).
After calling [Get Access Token], please check the granted_scopes array in the response, and make sure the creator has authorized all necessary scopes.
The scope keys definition is on the Manage API page:
If the authorized scopes are not sufficient for your business, please ask the creator to "remove all access" and re-authorize again.
Reauthorization and deauthorization
Official facts / interface constraints
Creator authorization can be reasoned about through two lifecycle changes below. The exact product entry points for "remove all access" or disabling some scopes are still to be verified.
The creator removes all access
Result:
- the old token becomes invalid
- future API calls fail with token invalid / deauthorized style errors
The creator disables some scopes
Result:
- APIs under those scopes will start failing with permission errors
- a common error is
105005
Recommended implementation / engineering best practices
Your app should therefore provide:
- a clear way back to the authorization page
- an understandable reauthorization flow
- clear error messages for invalid tokens and missing scopes
Common errors and troubleshooting
| Error / scenario | Meaning | Suggested action |
|---|---|---|
105005 | Missing required scope at app level or token level | Check app scopes, then check the token's granted_scopes, then ask the creator to reauthorize if needed |
105002 | Access token expired | Refresh the token |
105001 / token invalid | Token invalid, revoked, or user removed all access | Reauthorize if needed |
101000 | Wrong token identity or wrong API-token pairing | Make sure you are not using a seller token against a creator API |
| A practical rule of thumb:If a newly enabled scope still does not work, the first thing to inspect is usually the token's granted_scopes from the creator's latest authorization, not the app version number. |
Best practices
- generate and validate
stateon the server side - persist
granted_scopes - store creator tokens separately from seller tokens
- exchange the auth code as soon as possible after callback
- request only the minimum necessary scopes
- provide a clear reauthorization entry in the product
- check scope capability before calling an API
FAQ
Can a creator token and a seller token be reused interchangeably?
No. They represent different user identities and should not be mixed.
Why did authorization succeed but the API still returns 105005?
Usually because either:
- the app does not have the required scope enabled, or
- the token's
granted_scopesdoes not contain the required scope
After refreshing a token, is it recommended to keep checking granted_scopes?
For safety, yes. A safer engineering practice is to revalidate key capability fields whenever a new token is issued.
What should I do if the creator granted only part of the requested scopes?
Use granted_scopes to control feature availability, and reauthorize if a missing scope blocks critical business flows.
Missing parameter: The URL must include the "state" parameter for creators to authorize this app. Please contact the developer for assistance.
For creator authorization links, you are required to manually add a state parameter for extra security. The state is an unguessable random string that can help protect cross-site request forgery attacks, and is not automatically included in the basic authorization link.
No data retrieved: The requested API list is empty. Please contact the app developer for more information.
APP must open creator api scopes.
APP & Service -> Manage API, look for scope keys that begin with creator.