How to Get Your TikTok Ads API Key
May 29, 2026
TikTok doesn't issue a static "API key." The Marketing API requires three things together: a developer app registered in TikTok's developer portal (producing a client_key and client_secret), OAuth 2.0 advertiser authorization that exchanges an auth code for access and refresh tokens, and — for production access at any meaningful volume — passing TikTok's app review and data-security compliance check.
The honest 2026 framing: TikTok's Marketing API is operational, but it's the most gated of the major paid-social APIs. Snapchat is open to all developers with no approval (since 2018). Pinterest gates production writes behind a Trial → Standard demo-video review. TikTok requires Business Center onboarding, sandbox-to-production app review, business verification for higher-volume access, and a data-security compliance audit. Public 2026 reporting doesn't show outright US bans on the Marketing API, but US scrutiny does show up as friction — harder approvals, stricter review, slower onboarding — not as visible public restrictions in the docs themselves.
For B2B SaaS engineers, the practical implication: plan for a multi-week approval process for production access, and design your integration to work in sandbox first.
This guide covers the 2026 process: creating a developer organization, registering an app, navigating sandbox-to-production review, running the OAuth flow, handling Business Center hierarchy, and the TikTok-specific patterns (Spark Ads, Events API) that don't exist on other paid-social platforms.
Key takeaways
- The current product is TikTok API for Business with the Marketing API v1.3 still the active version, documented at
business-api.tiktok.com/portal/docs/marketing-api-get-started/v1.3. - App registration happens at the TikTok for Developers portal (
developers.tiktok.com) under Manage apps → Connect a new app, after creating a verified developer organization. - Sandbox → Production tier model. New apps start in Sandbox Mode (restricted environment, no full review). Production access requires app review and a data-security compliance check.
- Business Center onboarding is structural, not optional. TikTok's Marketing API assumes Business Center as the hub for managing multiple ad accounts, team permissions, and shared assets. Agencies are first-class.
- Two separate API surfaces with different auth models: Marketing API uses OAuth 2.0 advertiser authorization; the Events API uses a long-lived token tied to the Pixel, not OAuth.
- The hierarchy is Business Center → Advertiser → Campaign → Ad Group → Ad, with
advertiser_id,campaign_id,adgroup_id, andad_idas the identifiers in API paths. - Spark Ads uses a creator-granted authorization code — not OAuth — to authorize boosting organic creator content. Unique to TikTok among major ad platforms.
- No hard delete for creatives. TikTok's API supports create, update, and status toggling, but not destructive delete — by design.
Before you start
You'll need:
- A TikTok for Business account at
business.tiktok.comwith an active ad account - Plans for business verification if you'll need higher-volume production access
- A redirect URI for OAuth callbacks (HTTPS for production,
http://localhostfor sandbox testing) - A privacy policy URL and clear data-handling documentation — TikTok's compliance review checks both
- Realistic expectations on timeline: sandbox access can be set up in hours; production approval typically takes days to weeks depending on use case and review queue
If you're building for a multi-tenant SaaS, you'll also need to plan for Business Center linking during customer onboarding. Each customer's Business Center must grant your app access to their advertiser accounts before your integration can call Marketing API endpoints on their behalf.
Step-by-step: getting TikTok Marketing API access in 2026
1. Create a TikTok for Developers organization
Go to developers.tiktok.com and sign up with your TikTok for Business credentials. Create an organization representing your company. Complete business verification if your use case requires it (recommended for any production B2B SaaS integration — verification can take days, so start early).
2. Register your app
From the Developers portal, go to Manage apps → Connect a new app. Fill in:
- App name and description
- Website URL and privacy policy URL
- Redirect URI for OAuth callbacks
- Products / capabilities — select Marketing API (and any others you need, like Content Posting API if you're handling organic content alongside ads)
- Requested scopes / permissions matching what your integration will use
After creating the app, you'll see your client_key (sometimes called app_id) and client_secret in the app dashboard. The secret is sensitive — store it immediately.
3. Develop in Sandbox Mode
New apps start in Sandbox Mode — a restricted environment where you can test integrations without submitting for full review. Sandbox lets you exercise the OAuth flow, test API calls, and validate your implementation against synthetic or limited data.
You can clone configurations from production into a sandbox during development. The goal is to have a working integration before requesting production access — production review failures cost weeks of development time.
4. Run the OAuth advertiser authorization flow
Direct advertisers to TikTok's advertiser authorization URL:
https://business-api.tiktok.com/portal/auth
?app_id={YOUR_CLIENT_KEY}
&redirect_uri={YOUR_REDIRECT_URI}
&state={CSRF_TOKEN}
The advertiser signs in to TikTok for Business, sees the consent screen describing what your app is requesting, and approves access. TikTok redirects to your redirect_uri with ?auth_code={AUTH_CODE}&state={CSRF_TOKEN}.
5. Exchange the auth code for tokens
POST to TikTok's token endpoint:
POST https://business-api.tiktok.com/open_api/v1.3/oauth2/access_token/
Content-Type: application/json
{
"app_id": "{YOUR_CLIENT_KEY}",
"secret": "{YOUR_CLIENT_SECRET}",
"auth_code": "{AUTH_CODE}"
}
The response includes a short-lived access token, a long-lived refresh token (typically valid for around a year), and an advertiser_ids array listing which ad accounts this token can access. Store all three per-tenant.
6. Make authenticated Marketing API calls
Include the access token in the appropriate header for v1.3 endpoints:
GET https://business-api.tiktok.com/open_api/v1.3/advertiser/info/
?advertiser_ids=["{advertiser_id}"]
Access-Token: {access_token}
The hierarchy resolves through path parameters and query strings rather than nested URL segments — most endpoints take advertiser_id, campaign_id, adgroup_id, or ad_id as required parameters depending on the operation.
7. Apply for production access
Once your sandbox integration is working, submit your app for production review through the Developers portal. The review checks:
- Functional implementation — that you've correctly implemented the OAuth flow and the API endpoints you're using
- Data-security compliance — your privacy policy, data handling, storage, and user consent mechanisms
- Use-case appropriateness — that your stated use case matches what you're actually doing with the API
- Business verification status — required for many production capabilities
Higher-volume or sensitive use cases may require Partner status, which is a separate program with deeper review and direct TikTok contact.
The gotcha: TikTok's auth model has its own quirks
The Marketing API and the Events API have different auth models. Marketing API uses OAuth 2.0 advertiser authorization. The Events API for server-side conversion tracking uses a long-lived token generated and tied to a specific TikTok Pixel — not user OAuth. If your integration handles both campaign management and conversion event tracking, you need both credential systems. Don't try to call Events API endpoints with an OAuth access token, or vice versa.
Business Center onboarding is structural, not a configuration step. Unlike Snapchat (where Organization access is just a role) or Pinterest (where ad accounts hang directly off user accounts), TikTok's Marketing API genuinely assumes Business Center as the multi-tenant hub. Customers without a Business Center may need to set one up before your integration can work. Plan for this in your onboarding flow.
Sandbox tokens don't work against production endpoints. Switching environments means switching app credentials, switching base URLs, and re-running OAuth. Tokens issued against sandbox apps won't authenticate against the production API surface.
Refresh tokens have a finite lifetime. Unlike Snapchat (where refresh tokens don't expire), TikTok refresh tokens typically live around a year before requiring re-authorization. Build re-auth UX into your SaaS now — at one-year intervals, every customer will need to reconnect.
Spark Ads uses a different authorization pattern entirely. When advertisers boost organic creator content, the creator generates a Spark authorization code in their personal TikTok app (Ad Settings → toggle Ad authorization → set duration 7/30/60/180/365 days → receive code). The advertiser then uses that code in their ad creation flow — typically via the tiktok_item_id or auth-code field on creative endpoints. This isn't OAuth and doesn't go through Business Center. It's a creator-controlled, time-bounded grant that the advertiser injects into their API calls.
Creative delete is by design not destructive. TikTok's API supports creative create, update, and state changes (pause, archive, off) — but not hard delete. Plan for status-based lifecycle management rather than purge-and-recreate workflows.
Rate limits are moderate but inconsistent across endpoints. Default per-endpoint limits hover around 600 requests per minute for content APIs, with Marketing API endpoints often lower. Limits use a one-minute sliding window. For high-volume integrations, plan to batch reporting requests, cache stable data, and negotiate Partner-status limits when scale demands it.
Security and credential handling
Store client_secret****, refresh tokens, and Events API tokens in a proper secret manager. All three are sensitive. AWS Secrets Manager, Azure Key Vault, GCP Secret Manager. Never commit them.
Refresh proactively. Access tokens are short-lived (typically around 24 hours, though TikTok documentation isn't fully explicit on exact lifetimes). Refresh before expiration with retry logic and exponential backoff.
Plan for the one-year re-authorization. Refresh tokens expire. Build customer-facing re-auth UX before your first customer hits the one-year mark — not after.
Handle Business Center revocation gracefully. Customers can revoke your app's access to their Business Center at any time, which invalidates all associated advertiser tokens. Detect revocation through repeated 401 / 403 errors during refresh and prompt the customer to reconnect rather than retrying indefinitely.
Use least-privilege scopes. Request only the products and capabilities your integration actually uses during app registration. Broader requested permissions can slow down production review.
Rate limit defensively. With 600 RPM per-endpoint baselines and per-app, per-token, and per-advertiser quotas in play, multi-tenant SaaS needs centralized request pacing rather than per-tenant throttling alone.
Is there an API-key alternative?
For the Marketing API: no. OAuth 2.0 advertiser authorization is the only path. There are no static API keys for general Marketing API access.
For the Events API: yes — but it's scoped narrowly to a specific TikTok Pixel and used only for server-side conversion event tracking. It's not a general-purpose Marketing API credential.
Frequently asked questions
Is TikTok's Marketing API restricted in the US in 2026? No, not in a way that shows up as outright public bans in the developer docs. The API is operational for US advertisers and developers. What has changed is the rigor of access — stricter app review, data-security compliance checks, business verification requirements, and more conditional approvals for higher-volume or sensitive use cases. US-specific scrutiny shows up as friction in the approval process, not as visible API surface restrictions.
How does TikTok compare to Snapchat and Pinterest for API access? Snapchat is the easiest — open to all advertisers and developers since 2018, no tier model, no approval. Pinterest is moderately gated with a Trial → Standard tier system and demo-video approval for production writes. TikTok is the most gated of the three: sandbox-to-production app review, business verification, data-security compliance check, and Partner status required for high volume. If you're building integrations for all three, plan TikTok's onboarding first because it has the longest lead time.
What's a Spark Ads code and do I need it? Spark Ads let advertisers boost organic creator content as ads, preserving the creator's handle and social proof. The creator generates a time-bounded authorization code in their personal TikTok app, and the advertiser uses that code in their ad creation flow. You need it only if your integration supports creator-economy or influencer-marketing workflows. Standard branded ads don't use Spark codes.
Why does the Marketing API have OAuth but the Events API doesn't? Different problems, different designs. Marketing API operations (campaign management, reporting, creative uploads) need to act on behalf of a specific advertiser with their consent — OAuth fits. Server-side conversion event tracking is a high-volume, machine-to-machine flow tied to a specific Pixel — a long-lived static token is operationally simpler. Pinterest made the same split (OAuth for Marketing API, separate CAPI token for Conversions). Snapchat consolidates both into the same OAuth flow with different scopes.
Can I create and delete creatives via API? Create and update — yes. Hard delete — no. TikTok's API treats creatives as records you toggle through states (pause, archive, off) rather than purge. This is a deliberate API design choice, not an SDK limitation.
Where Unified fits
Unified.to provides a single API across TikTok Ads, Snapchat, Pinterest Ads, Reddit Ads, Meta Ads, LinkedIn Ads, Google Ads, Microsoft Advertising, Amazon Advertising, Google Campaign Manager 360, Google Display & Video 360, and 4 other advertising integrations — 15 in total — covering campaigns, ad groups, ads, creatives, targeting, and reporting through a normalized data model.
For TikTok Ads specifically, Unified handles OAuth advertiser authorization, refresh-token management, the Business Center hierarchy, and the Marketing API v1.3 endpoint structure behind a single authorization step. Real TikTok objects map to Unified's normalized models: ads_organization (list/get), ads_campaign, ads_group, and ads_ad with full CRUD, and ads_creative with create, update, list, and get — mirroring TikTok's actual API capability around creative state management rather than hard deletion. ads_report and ads_target handle reporting and targeting access. Vendor-specific endpoints — including the Events API for server-side conversion tracking, Spark Ads creator-authorization-code flows, and the more advanced Smart+ campaign configurations — are available through pass-through access where the full TikTok API surface is reachable through Unified's authorized connection.
If you're evaluating whether to build TikTok Ads integration directly or use a unified API, the question is less about the auth complexity of TikTok in isolation and more about whether building parallel integrations for every ad platform — each with different access models, different OAuth quirks, different rate limits, and different conversion-tracking patterns — is something your team should own, or something to abstract behind a single connection.