For TikTok App Review

TikTok Integration on MakeAFVDO

A plain-English, end-to-end walkthrough of how our app uses TikTok's Login Kit + Content Posting API — including every scope, what data we store, and how a user can revoke access.

1. What the app does

MakeAFVDO is an AI assistant for Thai affiliate marketers. A user pastes a product URL from Shopee / TikTok Shop / Lazada / AliExpress, and our pipeline:

  1. Scrapes the product (name, price, images).
  2. Writes a 15–60 second Thai sales script using Google Gemini.
  3. Generates voice-over using ElevenLabs / Botnoi / Google TTS.
  4. Composes the final MP4 with Remotion (9:16, 1:1, 16:9).
  5. Optionally — uploads the final video to the user's TikTok inbox as a draft.

2. TikTok scopes we request

Only two — strictly the minimum needed:

ScopeWhy we need it
user.info.basicTo show the user their own avatar + display name in our Settings page after they connect — confirms the right account is linked.
video.uploadTo send the generated MP4 into the user's TikTok Inbox (drafts) via the Content Posting API's /post/publish/inbox/video/init/endpoint. The user then reviews and publishes it manually inside the TikTok app.

We do not request user.info.profile, user.info.stats, video.list, or video.publish. Our app never posts publicly on the user's behalf without their manual confirmation inside TikTok.

3. End-to-end flow

  1. Step 1
    User signs in with Google
    Our only authentication provider is Google OAuth. See /login.
  2. Step 2
    User clicks Connect TikTok on /settings
    Our server generates a CSRF state cookie and redirects to https://www.tiktok.com/v2/auth/authorize/ requesting the two scopes above. See app/api/tiktok/connect/route.ts.
  3. Step 3
    User authorizes on TikTok
    TikTok shows its native consent screen. Once approved, TikTok redirects back to /api/tiktok/callback with an auth code.
  4. Step 4
    Server exchanges code for tokens
    We call /v2/oauth/token/ server-side with client_key + client_secret. The access token, refresh token, expiry, open_id, and granted scope are stored in a PostgreSQL row keyed by the user. We never ship these tokens to the browser.
  5. Step 5
    User generates a video
    The user pastes a product URL on /create. Our pipeline renders an MP4 file on disk — no TikTok API call happens here.
  6. Step 6
    User clicks Upload to TikTok
    Our server (a) initializes an inbox upload at /v2/post/publish/inbox/video/init/, (b) PUTs the MP4 bytes to the returned upload URL, then (c) polls /v2/post/publish/status/fetch/ until PUBLISH_COMPLETE.
  7. Step 7
    Video appears in the user's TikTok Inbox
    The user opens the TikTok app, taps the notification in the Inbox tab, reviews the video, and decides whether to publish. We never auto-publish.

4. What we store

We do not store video analytics, follower counts, or any content from the user's existing TikTok feed. We never sell or share TikTok data with third parties.

5. Revoking access

On our /settings page there is a Disconnect button. Clicking it calls /api/tiktok/disconnect which in turn calls TikTok's /v2/oauth/revoke/ endpoint and deletes the token row from our database. The user can also revoke access directly from TikTok's Manage Apps screen at any time.

6. How to test this review

  1. Open https://makeafvdo.com — this is our homepage.
  2. Scroll down — the footer links directly to /terms and /privacy.
  3. Click “เปิดแอป” (Open App) → sign in with Google (required because account generates user-specific tokens).
  4. Go to /settings → click Connect TikTok → authorize with a sandbox user.
  5. Go to /create → paste any Shopee URL (e.g. a public listing) → click “Start”.
  6. When the video is done, click Upload to TikTok → check the sandbox account's Inbox in the TikTok app.

If you need a pre-loaded test account, please email support@makeafvdo.com and we'll provision a creator account for your team within 24 hours.

Legal