Developer disclosure

How the Logic Target Agency Platform uses the TikTok API

This page is the public disclosure for our TikTok for Business developer application. It covers the application identity, use case, scopes requested, OAuth flow, data handling and user controls.

Application identity

The Logic Target Agency Platform is an internal reporting and operations application built and operated by Logic Target LLC. It is registered with TikTok for Business as a Marketing API developer application.

App name: Logic Target Agency Platform
App ID: 7600593971684835329
Business Center ID: 7600853899726716944
Operator: Logic Target LLC, Walnut, CA, USA
Privacy contact: privacy@logictarget.online
Security contact: security@logictarget.online

Policies we commit to

  • TikTok Marketing API Terms of Service
  • TikTok Developer Data Use Policy
  • TikTok Developer API Acceptable Use Policy
  • TikTok for Business Terms of Service
  • TikTok Branded Content Policy
  • TikTok Community Guidelines (on managed accounts)
  • GDPR & CCPA-aligned data handling
  • SOC 2-aligned operational controls
Use case

Why we built the platform and what it does

Logic Target manages a small portfolio of in-house brand accounts (Brass Studio, Moontide Collective, Velvet Fox Lab) and a contracted partner roster of creators and advertiser accounts. The Logic Target Agency Platform exists to consolidate operational and performance data from these accounts in one place, so that we and our clients can reason about the work in a single dashboard rather than across multiple TikTok cabinets.

Reporting (primary use)

Aggregating organic and paid performance metrics from authorized TikTok accounts into a unified weekly performance dashboard. Reports are shared with the Client whose accounts are being measured, and with the contracted Creators relevant to each post.

Campaign management

Operating Spark Ads campaigns on authorized advertiser accounts, linking organic creator posts to paid campaigns via tto.campaign.link, and applying ad recommendations surfaced through biz.ads.recommend.

Community management

Reading and triaging public comments on managed accounts via comment.list so that the Moontide Collective team can respond inside our internal workflow.

Creator Marketplace operations

Setting up, briefing and reporting on TikTok Creator Marketplace campaigns through biz.creator.info and biz.creator.insights for authorized clients.

Scopes

Every scope we request and the reason we need it

We request only the scopes required to deliver the operational and reporting work described above. We do not request scopes for features we do not use, and we do not enumerate or store data outside what each scope authorizes.

Scope Data accessed Why we need it
user.info.basic TikTok open ID, display name, avatar URL of the authorized user. To display the authorized account inside the platform dashboard and to associate work with the correct identity.
video.list List of public videos posted by the authorized account, with public metadata. To enumerate the posts that should appear on the performance dashboard for the Client / Creator.
video.insights Aggregate performance metrics for videos posted by the authorized account. The core of weekly performance reporting (views, reach, engagement, watch time).
comment.list Public comments on videos posted by the authorized account. Community-management workflow for the Moontide Collective team on managed accounts.
biz.brand.insights Brand-level analytics inside an authorized Business Center. To roll up brand-level performance across multiple managed accounts for the Client report.
biz.creator.info Creator profile data inside TikTok Creator Marketplace. To set up and brief TCM campaigns with the Creators we have authorized in.
biz.creator.insights Creator-level performance data inside TCM campaigns. To produce closed-loop reporting on the performance of TCM campaigns.
biz.ads.recommend Ad recommendation signals for managed advertiser accounts. To apply TikTok-surfaced optimization recommendations during campaign management.
tto.campaign.link Links between organic posts and Spark Ads campaigns. To attach organic creator posts to paid campaigns and report closed-loop performance.

All access is read-only or limited to the operations specifically authorized by the scope (for example, linking an organic post to a paid campaign with the user's authorization). We do not request scopes that grant access to direct messages, private content, or any data outside the scopes above.

OAuth flow

How a user authorizes the Logic Target Agency Platform

We use TikTok Login Kit for end-user authorization. The authorization flow is standard OAuth 2.0 with PKCE.

Connect

The authorized end user clicks "Connect TikTok" inside the Logic Target Agency Platform.

Redirect

We redirect to open-api.tiktok.com with the scope list, state and PKCE challenge.

Consent

The user sees TikTok's native consent screen with the exact scopes requested. They explicitly grant or deny.

Callback

TikTok redirects to https://www.logictarget.online/tiktok/auth/callback with the authorization code.

Exchange

Our server exchanges the code for an access token + refresh token over a server-to-server call.

Store

Tokens are encrypted with AES-256 at rest and stored against the authorized user record.

Use

API requests are made with the access token, rate-limited and exponential-backoff aware.

Disconnect

User can disconnect at any time from inside our platform or from TikTok Settings.

A walkthrough screenshot set is available on our demo page.

Data handling

Storage, security, retention and deletion

Storage

  • Primary database: PostgreSQL on Amazon RDS, encrypted at rest using AWS KMS-managed keys (AES-256).
  • Object storage (deliverables only, not API data): Amazon S3, SSE-KMS.
  • Backups encrypted, 35-day rotation.
  • All hosting is inside the United States (AWS region us-east-1).

Security

  • TLS 1.3 in transit.
  • Access tokens encrypted at rest; refresh tokens rotated on every use.
  • Role-based access control, principle of least privilege.
  • Multi-factor authentication required for all internal access.
  • Audit log of all internal access to authorized-user data.
  • Vulnerability scans on every deploy; quarterly penetration test.
  • Security disclosures: security@logictarget.online.

Rate limits & reliability

  • Per-endpoint rate-limit tracking with exponential backoff.
  • Respect for Retry-After headers.
  • Token refresh handled automatically before expiry.
  • Circuit breakers around upstream failures.

Retention & deletion

  • Operational TikTok-derived data retained for the duration of the engagement plus 90 days, then permanently deleted.
  • Authorized end users can disconnect the application at any time inside TikTok Settings > Privacy > Manage app permissions, which triggers deletion within 90 days.
  • Explicit deletion requests through the data deletion page are honored within 30 days.
  • Backups are purged on a 35-day rotation cycle after primary deletion.

Subprocessors

See the Subprocessors table in our Privacy Policy.

What we will not do

Hard commitments about how we handle TikTok data

We do not

  • Sell TikTok-derived data to any third party.
  • Use TikTok data to build advertising profiles for resale.
  • Combine TikTok data with data from other platforms without an explicit, written end-user authorization.
  • Request scopes that we do not need to deliver the contracted work.
  • Train machine-learning models on identifiable TikTok user data.
  • Bypass platform rate limits or scrape data outside the API.
  • Retain TikTok-derived data after a disconnection event longer than the 90-day window described above.
  • Operate any feature that purchases, fakes or automates engagement on a TikTok account.
User controls

What the authorized end user can do at any time

Disconnect inside our platform

Each authorized user has a "Disconnect TikTok" button on the platform's settings page. A single click revokes our access and triggers deletion.

Disconnect inside TikTok

Open the TikTok app or web client → Settings → Privacy → Manage app permissions → revoke "Logic Target Agency Platform". We detect the revocation on the next refresh cycle.

Request data deletion

Submit a request on the data deletion page, or email privacy@logictarget.online from the email associated with your authorized account.

Exercise your privacy rights

Access, correction, portability and other rights are documented in our Privacy Policy.

Reviewing this application?

If you are a TikTok policy reviewer and need additional documentation — architecture diagram, security questionnaire, demo recording — reach out and we will respond same business day.

Email our security team →