TikTok API Authentication: bearer tokens

Bearer tokens

Every request must carry a bearer token in the Authorization header:

http

Authorization: Bearer tkf_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

No query-string auth, no basic auth, no cookies. Cookies are deliberately ignored on the API host so cross-site requests cannot pick up a logged-in browser session by accident.

Token format

Tokens are 41 characters total: a fixed tkf_live_ prefix followed by 32 random alphanumerics. The first 13 characters (tkf_live_xxxx) are stored as the key's display prefix so you can recognize a key in the portal without ever seeing its full value again.

We never see the full token after creation

Only the SHA-256 digest is stored. If you lose the token, generate a new one and revoke the old.

Revoking a key

Open API keys, click Revoke, confirm. The key stops authenticating on the next request — no propagation delay.

Rate limits

Two limits run in parallel and are independent of credit consumption:

600 requests / minute / IP — guards against runaway clients.
1200 requests / minute / API key — guards a single compromised key from hammering the upstream.

When throttled you get 429 rate_limited with a Retry-After header in seconds. Back off and resume.