Introduction: This documentation provides a detailed walkthrough for junior developers on how to
automate TikTok interactions such as following users, liking posts, and commenting. We’ll cover the purpose of
TikTok automation, the ethical and legal considerations, how to set up your development environment (for both
Windows and Linux), and two main automation strategies: using APIs vs. browser automation. A step-by-step
implementation guide will demonstrate how to perform actions like follow and like using existing libraries. We’ll
also discuss security measures (like SSL pinning) that TikTok uses, and conclude with an alternative browser-based
automation approach. The goal is to be beginner-friendly and educational – not to encourage spam
or violation of TikTok’s terms. Use these techniques responsibly and ethically.
1. Introduction to TikTok Automation
TikTok automation involves using code or tools to perform actions on TikTok (following, liking, commenting, etc.)
without manual effort. This can help with managing social media tasks at scale or collecting analytical data.
However, it’s crucial to understand why and how to automate, as well as the
significant limitations and risks.
-
Purpose and Use Cases: Automation can save time by handling repetitive tasks. For example, a
business might want to auto-follow new followers back, or a researcher might collect data on trending videos.
Some users attempt to boost their visibility by automating likes and follows – though this is
generally discouraged for reasons we’ll outline. Always have a clear, legitimate goal for
automation, such as analytics or streamlining genuine engagement, rather than trying to game the system.
-
Ethical Concerns: TikTok’s community guidelines explicitly prohibit fake engagement and bots
that artificially inflate metrics. In fact, TikTok states “We do not allow the trade or marketing of
services that attempt to artificially increase engagement or deceive TikTok’s recommendation system.”.
Using bots to gain followers or likes can undermine authenticity on the platform and is considered spam. In
2022, TikTok reportedly removed over 256 million accounts suspected to be fake bots. Engaging
in spammy automation not only hurts the community’s trust but also puts your account at risk.
-
API Limitations: Unlike some platforms, TikTok does not offer a public API
for actions like posting, following, or liking content for third-party developers. The official TikTok API
(available to select partners) is very limited in scope and primarily focuses on content
sharing and analytics, not mass interaction automation. In other words, there’s no official API
endpoint to auto-follow or auto-like posts. Unofficial API wrappers exist, but they too have
limitations. For example, the popular Python library TikTokApi (an unofficial wrapper) allows
scraping public TikTok data (trending videos, user info, etc.) but cannot perform actions like follow
or like because those actions require authenticated requests (Tiktok
automation | BlackHatWorld). Any workaround for these actions involves reverse engineering private
endpoints, which is complex and against TikTok’s Terms of Service (Tiktok
automation | BlackHatWorld).
-
Risks of Automation: Automating TikTok comes with real risks:
- Account Suspension or Ban: TikTok’s Terms of Service explicitly forbid using automated
means to manipulate the platform. If TikTok detects bot activity, your account can be flagged and
suspended. This could mean losing your account and all your followers overnight.
- Shadow Banning: In some cases, TikTok might not fully ban an account but will limit its
reach (known as a shadow ban) if it suspects inauthentic activity. Your videos might stop appearing on the
For You page if you trip anti-spam algorithms.
- Data Privacy and Security: Using third-party tools or unofficial APIs often means
providing your TikTok credentials or session tokens to those tools. This can be dangerous if the tool is
malicious or not secure. Never use an untrusted service with your real account credentials.
Also, bots or scripts can inadvertently leak session cookies or API keys if not handled carefully.
- Platform Changes: TikTok frequently updates its platform and security. What works today
for automation might break tomorrow. Many unofficial API methods stop working when TikTok changes their site
or app to block them. Automators must be prepared for maintenance.
In summary, TikTok automation should be used sparingly and ethically. It can be a learning
exercise or a way to manage legitimate tasks, but trying to “growth hack” TikTok with bots is risky and often
counterproductive. TikTok’s algorithms favor genuine engagement – a large number of bot-generated followers with
no real interaction can hurt an account’s reputation more than help it. Always prioritize
creating quality content and use automation as a supplement (if at all), not a replacement for genuine user
engagement.
2. Environment Setup for TikTok Automation
Before writing any code, you need to set up a robust environment for running your TikTok automation scripts. This
involves preparing your operating system (Windows or Linux), installing required software (Node.js or Python and
relevant libraries), configuring proxies for safety, and securing any keys or credentials. Below is a breakdown of
key considerations and step-by-step setup instructions for both Windows and Linux environments.
2.1 Key Environment Considerations
-
Using Proxies: TikTok is known to aggressively rate-limit or block IP addresses that make
too many requests or appear suspicious. Using proxies can help distribute your requests across different IPs
to avoid hitting these limits. Ideally, use residential proxies (IP addresses from real
consumer devices) or mobile proxies (from mobile carriers) because they appear as legitimate
user traffic and are less likely to be blocked. Rotating proxies are also useful – these will automatically
cycle through IP addresses on each request or at set intervals. When scraping or automating, set up your HTTP
client or browser automation tool to route traffic through a proxy. For example, in a Node.js script with
Puppeteer you can launch Chrome with a --proxy-server=<IP:PORT>
argument, and in Python
requests
you can specify a proxies
dictionary. Note: Make sure the
proxies are from reputable providers to ensure reliability and speed. Also, be mindful of the legal and
ethical use of proxies – scraping or automating in violation of terms can still get you in trouble even if you
use a proxy.
-
Virtual Machines (VMs): It’s often a good idea to run automation scripts inside a VM or
isolated environment. A VM allows you to simulate a separate computer system, which is useful for a few
reasons:
- Isolation: If your script accidentally downloads malware or if TikTok attempts to
fingerprint your machine, the VM provides a layer of separation from your host OS.
- Multiple OS Testing: With a VM, you can easily run a Linux environment on a Windows host
(or vice versa) to see which works better for your tools. Some developers even run Android emulators in a VM
to simulate the TikTok mobile app environment for automation.
- Avoiding “Antidetect” issues: TikTok’s anti-bot system might look at your device or
browser fingerprint. Some automation experts recommend using a VM with an Android emulator
for TikTok automation because it can mimic a real phone more closely than a desktop browser. For instance,
you could run an Android x86 OS or use an emulator like Bluestacks inside a VM, then control the TikTok app
with automation (this approach requires tools like Appium and goes beyond basic scripting, but it’s an
option).
If you choose to use a VM, software like VirtualBox or VMware Workstation can create one. Allocate enough
memory and CPU for the VM if you plan to run a full browser or Android emulator inside it. Running a headless
browser automation on a lightweight Linux server VM is a common approach for deployment.
-
Operating System – Windows vs. Linux: Both Windows and Linux can be used for TikTok
automation, and each has pros and cons:
- Windows: If you plan to automate using a visible web browser or GUI tools, Windows can be
straightforward. You can install Chrome or use Edge (Chromium-based) and easily see what the automation is
doing. Tools like PowerShell or
.BAT
scripts can help schedule tasks. Windows
is also necessary if you want to run official TikTok desktop app or certain emulators that are Windows-only.
- Linux: Linux is preferred for running automation on servers or in the cloud. It’s
lightweight and you can run scripts without a graphical interface (headless mode). Many Node.js and Python
libraries (like Puppeteer, Playwright, or Selenium) run well on Linux. If using Linux for browser
automation, remember to install a desktop environment or use Xvfb for headless display since TikTok’s site
is heavily graphical. Linux typically requires a bit more setup for things like Chrome dependencies (fonts,
libraries) for headless browsing.
In summary: use the OS you’re comfortable with. For learning purposes, Windows might be simpler
(especially if you want to watch the browser actions), but for deployment at scale, Linux is often more
efficient.
2.2 Setup Instructions – Windows
Let’s go through setting up a TikTok automation project on Windows step by step. We’ll cover both Node.js and
Python scenarios:
-
Install Node.js and Python: If you haven’t already, download and install Node.js (which includes npm, the Node package manager) and Python 3. Having both gives you flexibility to use JavaScript
(Node) or Python libraries. Make sure to add them to your PATH. You can verify installation by opening Command
Prompt (CMD) and running node -v
and python --version
.
-
Create a Project Folder: Make a new directory for your project, e.g.,
C:\TikTokBot
. Open a terminal in this folder.
-
Set Up a Node.js Project (if using Node): Run npm init -y
to initialize a
Node.js project with default settings. This creates a package.json
.
-
Install Dependencies (Node): Decide which library or framework to use. For browser
automation, popular choices are:
- Puppeteer: A Node library to control Chrome/Chromium. Install with
npm install puppeteer
. (We will use Puppeteer in examples below.)
- Playwright: Microsoft’s browser automation library supporting Chrome, Firefox, and
WebKit. Install with
npm install playwright
(or npm install @playwright/test
for a
test runner setup).
- If you plan to use an unofficial TikTok API wrapper (for data scraping), you might install something like
npm install tikapi
(for TikAPI’s Node SDK) or other community packages. But keep in mind these
may not support posting actions, as noted.
- Proxy libraries (optional): If you want advanced proxy management, you can install
packages like
proxy-agent
or configure Puppeteer to use proxies without extra packages. We’ll
demonstrate proxy usage in code rather than with a separate library.
-
Install Dependencies (Python): If you prefer Python, set up a virtual environment (optional
but recommended) with python -m venv venv
and activate it. Then:
- For the unofficial TikTokApi: run
pip install TikTokApi
(this installs the library that
allows data scraping from TikTok’s web API).
- For browser automation in Python, you have a few choices:
- Selenium:
pip install selenium
(you’ll also need a ChromeDriver or a
driver for your browser version).
- Playwright for Python:
pip install playwright
and then
playwright install
to get browser binaries.
- Pyppeteer: an unofficial port of Puppeteer to Python
(
pip install pyppeteer
), though Playwright is more maintained for Python now.
- Undetected ChromeDriver: If using Selenium, consider
pip install undetected-chromedriver
to help bypass anti-bot detection.
- Also install any other needed libraries (e.g.,
requests
if calling web APIs, or
frida
if you were going to experiment with SSL pinning bypass – more on that later, though
beginners can skip it).
-
Proxy Configuration: Decide on the proxy you will use for your requests or browser. Obtain
the proxy address (and credentials if any). For example, you might have a proxy like
username:password@proxy.myproxy.com:8000
. On Windows, you can set environment variables for
proxies:
- In a terminal, you might run
set HTTP_PROXY=http://username:pass@proxy:port
and
set HTTPS_PROXY=http://username:pass@proxy:port
to have tools pick them up by default.
- For browser automation, you often pass the proxy to the browser instance. With Puppeteer, for instance,
you can do:
const browser = await puppeteer.launch({
headless: false,
args: ['--proxy-server=proxy.myproxy.com:8000']
});
await page.authenticate({username: 'username', password: 'pass'});
We will show this in code as well. For Python requests
, you can do:
proxies = {
"http": "http://username:pass@proxy.myproxy.com:8000",
"https": "http://username:pass@proxy.myproxy.com:8000"
}
requests.get(url, proxies=proxies)
- Do not skip proxies if you plan to do a lot of actions. Without proxies, if you send too
many requests from one IP (especially one not associated with a real ISP), TikTok’s servers may quickly flag
and block you. Using a pool of rotating residential proxies helps you stay under the radar.
-
Secure Your Credentials and API Keys: If you are using any API service (for example,
TikAPI which provides a TikTok API service via an API key), never hard-code your API
keys in your script. Instead, use environment variables or a config file that isn’t committed to
version control. On Windows, you can set environment variables in the system settings or in PowerShell like:
$env:TIKAPI_KEY="your_api_key_here"
Then in Node.js, you can access it with process.env.TIKAPI_KEY
. In Python, use
os.environ.get('TIKAPI_KEY')
. Similarly, if your automation uses login credentials
(username/password) or session cookies, keep those secure. Ideally, prompt for them or store in a secure
vault, and never publish them.
-
(Optional) Install Additional Tools: For debugging automation, it might help to install:
- Chrome or Chromium browser (Puppeteer usually downloads its own
Chromium, but having Chrome can help for manual testing).
- Node.js dev tools: If using Node, maybe install
nodemon
for auto-restarting
your script during development.
- Git (if you plan to use code from GitHub or version control your project).
- Frida (Advanced): If you intend to experiment with mobile API reverse engineering, you’d
need Frida and maybe an emulator. This is an advanced step and not needed for basic setups, but we’ll
mention it later in context.
Windows-specific tip: Sometimes Windows Defender or antivirus might flag automation tools (like a browser
controlled by code) as suspicious. Ensure you trust the libraries you install, and you might need to whitelist
them if needed.
2.3 Setup Instructions – Linux
Setting up on Linux is fairly similar, but done via the terminal. Here’s a guide using a Debian/Ubuntu-like
environment (adapt as needed for other distros):
-
Install System Dependencies: Update your package lists and install basics:
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl build-essential
If you plan to use Chrome in headless mode, also install libraries it needs:
sudo apt install -y libnss3 libatk1.0-0 libatk-bridge2.0-0 libdrm2 libxcomposite1 libxdamage1 libxfixes3 libgbm1 libasound2 libpangocairo-1.0-0 libpangoft2-1.0-0
(The above are common libs for running Chromium/Chrome on headless servers. You might also need fonts:
sudo apt install -y fonts-liberation
.)
-
Install Node.js and Python: You can use NodeSource or nvm for Node.js. For simplicity:
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs
Verify with node -v
.
Python3 is likely pre-installed on most Linux systems. If not:
sudo apt install -y python3 python3-pip
. And optionally python3-venv
.
-
Create Project Directory:
mkdir ~/tiktok-automation && cd ~/tiktok-automation
.
-
Install Dependencies (Node): Similar to Windows, use npm:
npm init -y
npm install puppeteer-extra puppeteer-extra-plugin-stealth
Here we included puppeteer-extra
and its stealth plugin which helps mask the automation (we’ll
discuss this plugin soon). Puppeteer will download a headless Chromium. If you prefer Playwright:
npm install playwright
npx playwright install
-
Install Dependencies (Python): If using Python, perhaps set up a venv:
python3 -m venv venv
source venv/bin/activate
Then:
pip install TikTokApi selenium undetected-chromedriver playwright
playwright install
The above installs the TikTokApi wrapper, Selenium (with stealth driver support), and Playwright. You might
not use all of them, but it’s good to have them if experimenting with different methods.
-
Proxy Setup: On Linux, you can export environment variables in your shell for proxies:
export HTTP_PROXY="http://username:pass@proxy.myproxy.com:8000"
export HTTPS_PROXY="http://username:pass@proxy.myproxy.com:8000"
If your automation runs as a service or cron job, ensure these env vars are set in that context, or handle
proxy in code as demonstrated earlier for Windows (the code snippets will be the same on Linux). For Puppeteer
on Linux, the args: ['--proxy-server=...']
approach in the launch command works identically. One
more tip: if you use multiple proxies, you can integrate a proxy rotation in your script logic (e.g., pick a
random proxy from a list for each new browser launch or each batch of actions).
-
Security of Keys/Credentials: Same principle as Windows. Use environment variables or config
files (outside version control) to store secrets. On Linux, you can put them in your ~/.bashrc
or
systemd service file (if running as a service). For example:
export TIKAPI_KEY="your_api_key_here"
export TIKTOK_USER="your_username"
export TIKTOK_PASS="your_password"
But remember, storing a raw password is risky – if possible, use session cookies or OAuth tokens instead of
plaintext username/password in your scripts. We will cover authentication methods in the next section.
-
Verify Installation: Test that Node and Python can run. For Node, try
node -e "console.log('Node is working')"
; for Python,
python -c "print('Python is working')"
.
Linux is now ready. One Linux-specific note: if you run a headless environment (no GUI), and you plan to
run a non-headless browser for debugging, you might need to install a minimal desktop or use
Xvfb. For truly headless operation, ensure you set the headless option to true
(or do not disable it)
in Puppeteer/Playwright. Some developers prefer running with a visible browser even on Linux to monitor what the
bot is doing, in which case running your script on a desktop environment or forwarding X11 display is needed.
By this point, you should have your development environment set up with all necessary tools to start writing the
TikTok automation scripts.
3. Automation Strategies: API-Based vs Browser
Automation
Now that the environment is ready, let’s discuss strategies for automating TikTok. There are two primary
approaches: using an API-based method or using browser automation. Each has its
advantages and challenges. We’ll also touch on TikTok’s security measures like SSL pinning and how tools like
Frida come into play (for advanced scenarios).
3.1 API-Based Automation
What do we mean by API-based? This refers to any method where your code directly calls TikTok’s
backend endpoints (HTTP requests to TikTok’s servers) rather than controlling an actual browser. This could
involve official APIs, unofficial/private APIs, or scraping endpoints.
-
Official TikTok APIs: TikTok does not provide a general-purpose public API like Twitter or
Instagram’s old API for regular content interactions. They do have specific APIs for advertisers and
developers, but these are limited. For example, TikTok’s official Developer API and
TikTok for Business API allow things like managing ads, retrieving analytics, and maybe
posting videos via authorized partnerships. They do not allow arbitrary liking/following
automation for normal user accounts. Furthermore, access to these APIs requires approval and adherence to
strict usage policies (Tiktok
automation | BlackHatWorld).
-
Unofficial APIs / Reverse-Engineered Endpoints: Many in the developer community have
reverse-engineered TikTok’s internal API endpoints (largely from the mobile app and web). This is how the
TikTokApi Python library works for read-only data – it uses TikTok’s private web API
endpoints for fetching videos, user info, etc., by imitating a normal web browser’s requests. Some developers
have gone further and reverse-engineered the authenticated endpoints (for actions like
follow, like, comment). However, doing so is complicated because TikTok employs security
measures:
- Authenticated requests require tokens/cookies: To follow or like, a request must include
a valid user session token (like cookies or an auth token). Getting this usually means you need to be logged
in. Unofficial API calls might require you to supply your TikTok account’s cookies to the library.
- Signatures and Validation: TikTok’s servers expect certain parameters like
msToken
, X-Bogus
or X-Tt-Params
headers, which are basically encoded
representations of your device state and a cryptographic signature. These signatures are meant to ensure the
request is coming from a real TikTok app or web client. Generating these signatures is
non-trivial. The TikTokApi library, for instance, often needs to execute TikTok’s obfuscated
JavaScript or use a headless browser to obtain a valid signature for each request.
- Rate limiting & IP bans: If you successfully figure out the endpoints and signatures,
you still must send requests at a reasonable rate. TikTok’s backend will quickly flag unusual patterns (like
100 follow requests in 5 seconds).
-
Using an Unofficial API Library: If you find a library on GitHub that claims to allow
likes/follows, it likely does one of two things: (1) uses a server-side service that handles the request
signing for you (some projects set up a local HTTP server to generate the necessary signatures via a browser,
such as 1Mr-Newton/tiktok-signature (1Mr-Newton/tiktok-signature
- GitHub)), or (2) it requires you to hook into the mobile app (which leads to tools like Frida,
discussed below). For beginners, relying on community-maintained libraries is the easiest path. For example:
- TikTokApi (Python): Great for scraping public data, but again, it explicitly cannot
perform actions like following or posting. It’s read-only for analytics.
- TikAPI (Node/Python service): This is a third-party paid service where you use their API.
They handle all the scraping and provide results. TikAPI can get you data easily and even supports login via
OAuth to get user-specific data. However, they restrict access to interaction endpoints
(follow/like/comment) to prevent abuse (How
can I get access to special endpoints? - TikAPI). You would have to become a “trusted” client or have
a valid use-case to get those privileges.
- Custom scripts: Some developers roll their own scripts using Python’s
requests
or Node’s axios
to hit TikTok endpoints. They often capture their own
TikTok app’s traffic (with a proxy, after bypassing SSL pinning) to see what to send. This is advanced and
prone to breaking. We don’t recommend this route for junior developers due to the
complexity.
SSL Pinning & Frida (for API reverse engineering): If you are attempting to reverse-engineer
the TikTok mobile app API, you’ll encounter SSL pinning. SSL pinning is a
security technique where the app only trusts a specific SSL certificate (usually TikTok’s own certificate) and
will refuse to connect if any other certificate is present. This means if you try to proxy the app’s traffic (to
see API calls), the usual method of installing a custom CA certificate on your device won’t work – TikTok app will
detect the certificate mismatch and stop calls. To bypass this, tools like Frida are used:
- Frida is a dynamic instrumentation toolkit that can hook into apps at runtime. Using a Frida
script, developers can disable or bypass the certificate pinning logic in the TikTok app (TikTok:
Logs, Logs , Logs - Baptiste Robert). Essentially, Frida can intercept the function calls in the app that
validate certificates and force them to always accept your proxy’s cert.
- Once SSL pinning is bypassed, you can route the TikTok app traffic through a tool like
mitmproxy or HTTP Toolkit to inspect all the API endpoints being used when you
like a video or follow someone.
- Important: This is getting into reverse engineering territory, which is advanced and possibly
against TikTok’s terms (and maybe local laws if done improperly). We mention it to explain how some unofficial
methods are developed. If you’re just starting out, you do not need to use Frida or dive into TikTok’s binary.
It’s overkill for basic automation and carries the risk of legal issues if you misuse the data.
Summary of API approach: In theory, API-based automation is faster and uses fewer resources (no
need to launch a browser). But due to TikTok’s countermeasures (signatures, pinning, fingerprinting), it’s a
cat-and-mouse game. If you’re a junior dev, your best bet for an API style approach is to use a trusted
third-party API service (like TikAPI) for read-only data or experiment with the TikTokApi library for
learning. For performing actions, the API route is not beginner-friendly and is likely to get your
account flagged unless done very carefully. This is why many turn to the browser automation approach.
3.2 Browser Automation
Browser automation means controlling a web browser (like Chrome, Edge, or Firefox) with code, so that the browser
does the same things a human user would do: navigate pages, click buttons, scroll, etc. From TikTok’s perspective,
this is harder to distinguish from a real user if done properly, since it’s literally using a real browser to
interact with the site.
Advantages of Browser Automation:
- You leverage TikTok’s regular web interface, so you don’t have to figure out private APIs or signatures.
- It’s often easier to implement using high-level commands (click this, type that) rather than constructing raw
HTTP requests.
- You can actually see what’s happening (helpful for debugging – e.g., if TikTok shows a captcha or warning, you
can detect or even visually see it in non-headless mode).
- From TikTok’s perspective, a well-configured headless browser can appear like just another Chrome user
watching videos.
Challenges:
- Browser automation is more resource-intensive. Launching a browser and rendering pages uses more CPU and RAM
than making an HTTP request.
- It can be slower, especially if you simulate human-like delays (which you should, to avoid detection).
- TikTok may still detect automation through browser fingerprints. For example, it might detect headless
Chrome or known automation patterns. (We’ll discuss how to mitigate this with things like the stealth
plugin.)
- If TikTok throws up a CAPTCHA or “Are you a robot?” check, your automation needs to handle
that (either by solving it or by using an external captcha service, which is another layer of complexity).
- You’ll need to manage user sessions (login cookies) in the browser, and possibly handle login flows, which
might involve 2FA or email confirmation.
Tools for Browser Automation:
- Puppeteer (Node.js): Controls Chromium or Chrome via the DevTools Protocol. Great for
scripting Chrome in Node. We can use the puppeteer-extra variant with plugins like
puppeteer-extra-plugin-stealth to mask some bot-like characteristics (like disabling
navigator.webdriver, etc.).
- Playwright (Node.js or Python): Similar to Puppeteer but multi-browser and has some handy
features. It also has a stealth mode (though not as plug-and-play as puppeteer-extra’s plugin).
- Selenium (multiple languages): A long-standing automation framework. With Selenium, you often
use a WebDriver (like ChromeDriver) to control the browser. TikTok’s web might detect standard ChromeDriver, but
the undetected-chromedriver project patches it to be less detectable. Selenium can be used with
Python, Java, etc.
- Browser automation with headless mode vs visible mode: Running the browser in headless mode
(no UI) is convenient and faster. However, some users have noted that TikTok might behave slightly differently
with headless browsers. For example, one anecdote mentioned that when running headless, their follow actions
didn’t “count” until they ran it in a visible window. This could be due to TikTok delaying certain actions if
the page is not in focus, or simply the bot was too fast in headless mode. Tip: while
developing, run in non-headless (headful) mode to see everything. Once stable, you can try headless, but be
ready to switch back if TikTok detects it or if functionality differs.
Overcoming Anti-Bot in Browser:
TikTok’s web uses various techniques to detect bots:
- It may use browser fingerprinting (checking your user-agent, screen size, installed plugins,
time zone, canvas fingerprint, etc.). To mitigate this, use the stealth plugin for Puppeteer or
manually adjust page properties in Selenium/Playwright. The stealth plugin will, for example, remove
navigator.webdriver
flag, spoof hardware concurrency, etc.
- It sets cookies like
tt_webid_v2
which identify a session. Deleting or not handling cookies can
lead to frequent verification checks. It’s good to persist cookies between runs (we’ll show how
in the code example).
- Rate-limit interactions: If your bot likes 50 videos in a minute, TikTok might show a “you’re doing this too
fast” message or captcha. Always slow down and maybe implement random wait times between actions.
- Monitor network calls: Even with a browser, TikTok might notice if certain background calls (like analytics
pings or ad calls) are consistently blocked or missing. A real user’s browser loads a bunch of resources
(images, scripts, etc.). A headless script that instantly jumps around and doesn’t load everything could stand
out. One trick is to not block resources like images or media on TikTok, even if it makes it a bit heavier; you
want to appear as normal as possible.
SSL Pinning Relevance: Note that SSL pinning is primarily a mobile app concern. When you use a
browser (web interface), the web requests can already be observed or modified via DevTools or proxies because the
web browser doesn’t pin certificates in the same way. So, you typically don’t need Frida for web automation. SSL
pinning is mentioned in the context of reverse-engineering the mobile app’s API. For browser automation, the main
security to consider is captchas and login security (TikTok might send email verification if it suspects a login
is from a new device/bot).
In summary: For most developers, browser automation is the practical approach
to TikTok automation for actions. It’s more straightforward to implement and aligns with how a human uses TikTok
(thus somewhat safer if done moderately). The downside is performance, but unless you need to run a massive bot
farm, a single machine can handle a decent amount of automated interactions with a browser.
Next, we will walk through a step-by-step example of automating some TikTok actions using a library. We’ll use a
browser automation approach with Node.js and Puppeteer, and later we’ll also mention a Python alternative. This
will illustrate how everything comes together.
In this section, we’ll build a simple TikTok automation script using an existing library. For demonstration,
we’ll use Node.js with Puppeteer (plus the stealth plugin) to automate a browser. This will show
how to log in to TikTok (in a way that avoids violating policies as much as possible), then perform actions like
follow, like, and comment on TikTok posts.
(Python developers: don’t worry, you can do the same with Python using Selenium or Playwright – we’ll provide
notes on that too. The logic is analogous.)
4.1 Installing and Importing the Library
First, ensure you have Puppeteer and the stealth plugin installed as discussed. If not, run:
npm install puppeteer-extra puppeteer-extra-plugin-stealth
Now, create a JavaScript file, e.g., tiktok_bot.js
, and import the required modules:
const puppeteer = require('puppeteer-extra');
const StealthPlugin = require('puppeteer-extra-plugin-stealth');
puppeteer.use(StealthPlugin());
The stealth plugin will automatically apply a number of evasion techniques to make the headless browser look more
like a normal browser. This includes things like removing navigator.webdriver
property, mimicking
WebGL fingerprints, etc. TikTok (like many modern websites) can detect default headless Chrome without these
tweaks, so this plugin is highly recommended.
4.2 Authenticating and Session Management
To perform actions like follow or like, you must be logged in to a TikTok account. Important:
Only automate with a throwaway or test account at first. Do not risk your main account. Also, do not automate
multiple accounts from the same IP without proxies – TikTok might link them.
There are a few ways to handle authentication:
- Manual login with automation assistance: You can have the automation script open the TikTok
login page and then pause to allow you to manually solve a captcha or scan a QR code or enter
credentials. Once logged in, you can have the script save cookies for reuse.
- Automated login: This involves scripting the input of username and password. This can work,
but TikTok may present image puzzles or 2FA challenges that are hard to solve programmatically. You might also
get a “Too many attempts, try later” if you try repeatedly (Not
able to use it with tiktok? · Issue #404 - GitHub).
- Reuse session cookies: Easiest approach is to log in once (either manually in a browser or
via a one-time automation run), grab the session cookies, and then load those cookies in subsequent script runs
so you don’t log in every time. TikTok’s main session cookie is often called
sessionid
(and a bunch
of others are set like sid_tt
etc.).
For our guide, we’ll illustrate an automated login for completeness, but be prepared to handle it manually if
challenges arise.
Steps to login:
- Navigate to TikTok login page.
- Choose a login method (e.g., login with username/email).
- Fill in credentials and submit.
- Wait for navigation or check if login was successful (e.g., the URL changes to TikTok feed).
- Save cookies for the session to a file (so next time, you can load them).
Here’s a snippet:
(async () => {
const browser = await puppeteer.launch({
headless: false,
args: [
'--no-sandbox',
'--disable-setuid-sandbox',
'--lang=en-US,en',
]
});
const page = await browser.newPage();
const fs = require('fs');
const cookiesPath = 'tiktok_cookies.json';
if (fs.existsSync(cookiesPath)) {
const cookies = JSON.parse(fs.readFileSync(cookiesPath));
await page.setCookie(...cookies);
console.log('Loaded cookies from previous session.');
}
await page.goto('https://www.tiktok.com', { waitUntil: 'networkidle2' });
let loggedIn = false;
try {
await page.waitForSelector('[data-e2e="user-avatar"]', { timeout: 5000 });
loggedIn = true;
console.log('Already logged in.');
} catch (e) {
loggedIn = false;
}
if (!loggedIn) {
console.log('Not logged in, proceeding to login.');
await page.click('button[data-e2e="top-login-button"]');
await page.waitForTimeout(1000);
await page.click('button[data-e2e="login-button-email"]');
await page.waitForSelector('input[name="username"]');
await page.type('input[name="username"]', process.env.TIKTOK_USER, { delay: 50 });
await page.type('input[name="password"]', process.env.TIKTOK_PASS, { delay: 50 });
>
>
>
>
>
>
>