Integration
Growcita + TikTok
Growcita integrates with two distinct TikTok surfaces: TikTok Shop for commerce automation (catalog, inventory, orders) and TikTok Ads for paid-media campaign management. They use separate Partner Center / Business API OAuth flows and are managed independently under your autonomy and guardrail settings.
TikTok Shop
LiveConnected via TikTok Partner Center OAuth. The Growth Marketer and Creative agents use the Shop Open API to sync catalogs and manage inventory.
What it does
- Catalog sync: Read authorized shops, their products, and SKUs into Growcita so the agents can reason about your TikTok Shop inventory.
- Inventory updates: Apply approved per-SKU inventory adjustments using signed Open API requests. Bulk catalog rewrites are intentionally out of scope.
- Order visibility: Read recent orders for revenue dashboards and to tie creative performance back to actual sell-through.
Data accessed
- · Authorized shops (id, cipher, name, region)
- · Products, SKUs, and inventory levels
- · Orders and fulfillment status
- · Inventory level updates (per SKU)
- · (Optional, opt-in) catalog draft updates
TikTok Shop uses per-app access_token + refresh_token pairs. Every Open API call carries an HMAC-SHA256 signature derived from your app secret. Tokens are refreshed silently before expiry.
TikTok Ads
Native OAuth in developmentTikTok Ads (TikTok Business API) is currently connected through our managed-OAuth provider, Composio, so users can already run campaigns while we complete the native TikTok Business OAuth integration. Once native OAuth ships, this section will move to a dedicated scope table identical to the other native integrations.
What it does today
- Campaign management: Create campaigns and ad groups in disabled state, adjust budgets within your daily-change guardrail, and pause underperformers. Enabling a campaign requires explicit approval.
- Performance reporting: Pull spend, impressions, clicks, conversions, and ROAS across your TikTok ad accounts and campaigns.
- Trends and ad library: The Creative agent reads from TikTok's public Creative Center and ad library (no merchant authentication required) to surface trending hooks and competitor creatives.
How the connection is authorized
You authenticate via Composio's embedded consent screen for the TIKTOKtoolkit. Composio handles the OAuth handshake with TikTok on our behalf and never exposes the raw token to Growcita — we call the Ads API through the Composio proxy. Tokens are stored encrypted by Composio under SOC 2 controls; you can revoke access at any time from your Growcita integrations settings.
OAuth scopes & authorization
| Surface | Authorization | What we need |
|---|---|---|
| TikTok Shop | Partner Center OAuth at services.us.tiktokshop.com/open/authorize | Approval through TikTok Shop Partner Center for product + inventory scopes. Each authorized shop returns a shop_cipher required on every subsequent Open API call. |
| TikTok Ads | TikTok Business API OAuth via Composio (managed). Native flow in development. | Read & manage ads scope on your TikTok Ads Manager account. Approval requirements are handled by TikTok's Business API review process. |
New TikTok Ads campaigns are always created in disabled state. Enabling requires explicit approval. Catalog and inventory syncs from TikTok Shop are batched and signed; we never replay POSTs on a network error without first checking platform state.
TikTok Developer Terms commitment
Growcita's use of data received from TikTok adheres to the TikTok API Platform Terms of Service and the TikTok Shop Partner Terms.
- No selling TikTok data. We do not sell, license, or share TikTok data with data brokers, advertising networks, or unrelated third parties.
- No generalized model training. We do not use TikTok merchant or advertiser data to train generalized AI models. Only per-session agent invocations see your data, and only for the task you initiated.
- Purpose limitation. TikTok data is used only to deliver the features described on this page and elsewhere in the Growcita product.
- Retention. Tokens are deleted within 24 hours of disconnect; cached performance data is deleted within 30 days on request.
How we secure your data
- Encrypted tokens. TikTok Shop access and refresh tokens are stored in our Supabase Postgres database encrypted at rest. TikTok Ads tokens, managed by Composio, are stored under their SOC 2 controls and never exposed to Growcita workers in plaintext.
- Signed Open API requests. Every TikTok Shop request carries an HMAC-SHA256 signature generated from your app secret — unsigned or tampered requests are rejected at the gateway.
- TLS in transit. All requests to TikTok APIs and between Growcita services use TLS 1.2 or higher.
- Idempotent writes. Inventory and campaign mutations are designed to be safely retryable; we never replay non-idempotent POSTs without first checking platform state.
- Audit log on every write. Every TikTok write is recorded in our internal
tool_executionstable with the tool name, input size, duration, and outcome.
Revoke access at any time
Revoke from either Growcita or TikTok directly:
- Shop:Open TikTok Shop Seller Center → Authorized Apps and revoke “Growcita”
- Ads: Sign in to Growcita and disconnect from the Integrations page; revocation flows through Composio to TikTok
Delete stored TikTok data
Disconnecting deletes the encrypted tokens from our database. To delete cached performance data, follow the Data Deletion Instructions or email privacy@growcita.com. Requests are processed within 30 days.
Independent third party
Growcita is an independent third-party application built on the TikTok Shop Open API and TikTok Business API. We are not affiliated with, endorsed by, or sponsored by TikTok Pte. Ltd. or ByteDance Ltd. “TikTok” and “TikTok Shop” are trademarks of their respective owners.
Ready to connect?
Sign in to Growcita and connect your TikTok Shop seller account or authorize TikTok Ads via Composio. You stay in control of which shops and ad accounts the agents can touch.