Authorization & Security
How Vibescaling secures your TikTok account connection.
When you connect your TikTok account, Vibescaling uses TikTok's official OAuth 2.0 protocol — the same secure authorization flow used by all TikTok-approved applications.
How Authorization Works
- You click "Connect Account" in Settings → TikTok
- Vibescaling generates a PKCE code challenge for additional security
- You're redirected to TikTok's website (not Vibescaling) with the code challenge
- TikTok shows you exactly what permissions are being requested
- You approve on TikTok's page
- TikTok sends Vibescaling a temporary authorization code
- Vibescaling exchanges this code (along with the PKCE code verifier) for access credentials
- Your account is now connected
- Vibescaling verifies all required permissions were granted
At no point does Vibescaling see or store your TikTok password. We only receive access tokens issued by TikTok.
If you deny any of the required permissions during TikTok's consent screen, you'll be redirected back with an error explaining which permissions are missing.
Token Security
| What | How It's Protected |
|---|---|
| Access tokens | Encrypted at rest before being stored |
| Refresh tokens | Encrypted at rest, used only to renew access |
| Your password | Never seen or stored by Vibescaling |
Token Lifecycle
- Access tokens expire after approximately 24 hours
- Refresh tokens last approximately 1 year
- Access tokens are refreshed automatically before every publish and analytics sync — if a token is within 1 hour of expiry, Vibescaling refreshes it transparently
- If a refresh token expires (after ~1 year), you'll need to reconnect your account from Settings
What Vibescaling Can and Cannot Do
Can Do (with your permission)
- Read your basic profile info (name, avatar)
- Read your TikTok username
- Read your follower/following counts
- List videos on your profile
- Upload and publish content when you click Publish Now or when a scheduled post fires
Cannot Do
- Access your TikTok password
- Post content without your explicit action (manual publish or scheduled publish you set up)
- Read your DMs or private data
- Modify or delete your existing content
- Access anything beyond the approved permissions
Revoking Access
You can revoke Vibescaling's access at any time:
From Vibescaling: Settings → TikTok → Disconnect
From TikTok: Settings → Security → Manage app permissions → Remove Vibescaling
Revoking access immediately invalidates all stored tokens. Vibescaling can no longer access your TikTok account until you reconnect.
Data Deletion
When you disconnect your TikTok account:
- All stored OAuth tokens are immediately invalidated
- Your TikTok username, display name, and avatar are cleared from our systems
- Associated video metrics data is deleted
You can also request complete data deletion by emailing support@vibescaling.org. See our Privacy Policy for details.
Data Handling
For full details on how your TikTok data is handled, see our Privacy Policy.