Create a hash to sign your test API call
Now that you've created a test access token, you're ready to generate the cryptographic hash required to sign your first API call.
There are six steps to generating the required cryptographic hash:
Step 1: Sort query parameter names alphabetically
Sort the query parameter names and values alphabetically. For the Get Authorized shop API, there are two required query parameters: app_key and timestamp. You're already familiar with app_key, it's the TikTok Shop App key that was generated for your test TikTok Shop App when you created it. timestamp is the current date and time in Unix epoch format, which is the number of seconds that have passed since January 1, 1970.
If you don't have a way to generate this programmatically, you can perform a web search to find a website that can produce this value for you. As an example, let's assume your app_key is 123456 and the current timestamp is 1234567890. To sort these parameters, we compare app_key to timestamp, and since the first letter of app_key is a, it comes before the t in timestamp. Therefore, our sorted query parameters are 1: app_key, 2: timestamp.
Step 2: Concatenate the sorted parameters names and values
Concatenate the sorted query parameters and their values from step 1 into a single string. In the example from step 1, this string is app_key123456timestamp1234567890.
Step 3: Append the string from step 2 to the API path
For our first API call, we don't need to perform a step to concatenate the request body to the string created in step 2. For the call to Get Authorized Shops, there is no request body.
Therefore, our next step is to append the string from step 2 to the API request path. For Get Authorized Shops, this is:
TEXTWord Wrap
/authorization/202309/shops
In the example from steps 1 and 2, the resulting string is:
TEXTWord Wrap
/authorization/202309/shopsapp_key123456timestamp1234567890
Step 4: Prepend and append TikTok Shop App client secret
Prepend and append your TikTok Shop App client secret to the string in step 3. In our example, let's assume that our client secret is abc000def111. The resulting string is now:
TEXTWord Wrap
abc000def111/authorization/202309/shopsapp_key123456timestamp1234567890abc000def111
Step 5: Encode the string using HMAC-SHA256
To generate the signature, you must use the HMAC-SHA256 algorithm.
HMAC-SHA256 requires two inputs:
- Key (Secret Key)
- Message (the string to be signed from Step 4)
🔑 Important
The Key (also called Secret Key or Salt in some tools) must be your TikTok Shop App Client Secret.
You can find your App Secret in:
TikTok Shop Partner Center Console
→ App & Service
→ Select your App
→ Developing section
→ App Secret
⚠️ If you do not enter the App Secret as the Key, the generated signature will be invalid.
How to Generate the Signature
You may use:
- An online HMAC-SHA256 generator tool
- Or your own backend code
If using an online tool:
- Select algorithm: HMAC-SHA256
- Enter the string from Step 4 as the Message
- Enter your App Secret as the Key / Secret / Salt
- Ensure output format is hex (lowercase) unless otherwise specified
If you prefer using code, please refer to the code samples provided in the Sign your API request documentation.
Next steps
Now that you've generated your cryptographic hash, you can make your first API call.