What the app does
nooQ Golf is a multi-tenant SaaS platform used by UK golf clubs to run their public-facing club websites. Each club has its own subdomain (for example cathkinbraesgolfclub.co.uk) powered by our content-management system. One of the website modules a club admin can drop onto a page is a Social Feed block, which embeds the club's own recent social-media posts so members and visitors can see club activity without leaving the club's site.The TikTok integration in this app gives club admins a one-click way to connect the club's own TikTok account so that the club's own recent TikTok videos appear in that Social Feed block. The integration is read-only: the app never posts, comments, likes, follows, or messages on the connected account. It only fetches the connected account's profile and recent videos for embedding on the same club's website.Products in use
1. Login Kit for Web
Where it appears: In the CMS admin, the club admin opens Settings → Social Media → TikTok and clicks Connect TikTok. This launches the standard TikTok Login Kit OAuth flow in the browser, redirecting to https://www.tiktok.com/v2/auth/authorize/. After the admin signs in and approves the requested scopes on TikTok's consent screen, TikTok redirects back to our canonical callback URL https://webcms.nooqgolf.com/api/oauth/tiktok/callback with an authorization code. The server exchanges that code for an access token and refresh token (AES-256 encrypted at rest), stores them against the club's tenant record, and writes the connected display name and avatar so the admin can confirm the right account is connected. Why we need it: Login Kit is the only supported way to obtain a user-context access token for the Display API call described below.
2. Display API
Where it appears: Once a club's TikTok account is connected, a scheduled job runs every 5 minutes and, for each club whose Social Feed has TikTok enabled, calls
POST https://open.tiktokapis.com/v2/video/list/
with the stored access token to fetch that account's recent videos. The normalised result (cover image, caption, permalink, timestamp,like/comment/view counts) is cached per-club and rendered in the Social Feed block on that club's public website. Each video links back to the original post on tiktok.com via the share_url — playback happens on TikTok, never in-app. Why we need it: This is the sole purpose of the integration — surfacing the club's own recent TikTok videos on the club's own website. Scopes requested user.info.basic Used by: Login Kit (above) and one server-side call to GET https://open.tiktokapis.com/v2/user/info/ immediately after the OAuth code exchange. Fields read: open_id, union_id, display_name, avatar_url. Where it appears in the UI: The display name and avatar are shown in the CMS admin's TikTok settings panel under the heading "Connected as @{display_name}" so the club admin can verify the correct account is connected, and so we can show a meaningful Disconnect button. None of these values are shown to website visitors or used for any other purpose. video.list Used by: The 5-minute refresh job calling POST https://open.tiktokapis.com/v2/video/list/. Fields read: id, title, cover_image_url, share_url, create_time, like_count, comment_count, view_count. Where it appears in the UI: Each video becomes a card in the Social Feed block on the club's public website — cover image, caption excerpt, post date, and counts, with the card linking out to share_url on tiktok.com for playback. Nothing is shown that is not already public on the post. What we do not do - We do not request or use Content Posting API, Research API, or any scope beyond the two above. - We do not post, comment, like, follow, or message on the connected account. - We do not aggregate, profile, or resell TikTok data, and we do not show one club's TikTok content on a different club's website. - We do not store video files; we store only the metadata listed above plus the encrypted tokens needed to refresh it.Disconnect and data handlingThe website admin can hit Disconnect TikTok at any time.
That action revokes the stored access token and refresh token, deletes them from our database, and purges the cached video metadata for that site. Tokens are AES-256 encrypted at rest using a key held only in the production environment.
Full details are in our Privacy Policy at https://nooqgolf.com/privacy and our Terms at https://nooqgolf.com/terms.