When Research APIs Close the Door: When you finally get it, it is not what you have asked for

In the previous blog, we described a timeline of how we applied for TikTok research data access (API) and kept communicating with TikTok for 1.5 years, and had not received it yet. In this follow-up blog, we would like to provide more how this never-ending story continued and developed until nowadays.

This whole story demonstrates how we, academic researchers, are dependent on platforms’ willingness (or rather a complete lack of willingness) to share their data in order to help them to make the online environment more safe. This story also clearly shows why independent research is so important, and why it makes sense to focus on approaches, such as external independent algorithmic audit, which we research within the AI-Auditology project.

Just to remind, we applied for the first time for access to TikTok’s research API to study on December 19, 2023. A long period of time full of sending reminders, appeals and erroneous decisions happened. On July 2, 2025, after our second application was rejected, we pointed out again the mismatch between TikTok’s justification for application rejection and their own official eligibility criteria.

On July 17, 2025 (surprisingly promptly, especially considering the slowness of previous communication), the TikTok team replied and acknowledged their mistake with incorrectly assessing our eligibility:

“We followed up with our third party reviewer and they have confirmed that while your organisation is not within the standard nonprofit legal types that they consider for verification, upon further review and investigation of the governing documents you provided, they were able to validate your eligibility.

We are therefore moving forward with approving your application now.

Apologies again for the lengthy due diligence process and we wish you the best with your research.”

At the same time, we received an automatic email saying that: “You can access all data through the Virtual Compute Environment (VCE).“

VCE was not, unfortunately, the type of data access we asked for. In comparison with Research API, which we asked for explicitly in the application, it provides only very limited access options.

But still, after such a long period of waiting and arguing, it was at least something. We immediately tested the access but unfortunately the provided credentials did not work at all. So we decided to wait a day or so, maybe it takes some time before they start working. However, during the next few days, the whole VCE environment was unavailable completely (returning HTTP error 499 or 502). When it started to work again, we were still receiving an error: „Invalid username or password“.

On August 22, 2025, we approached TikTok support again and in few days the response arrived:

“ I have checked our records, and you are currently approved for access to the Research API rather than the VCE. The VCE is a separate tool that includes additional security measures. To access the Research API, you do not need to go through our secure Jupyter environment, rather you can use the application of your choice.“

Amazing, right? So we received the access we were indeed asked for. The next day, we tested the Research API, successfully obtained an access token but any next requests ended with an error: “The user did not authorize the scope required for completing this request.”. 

According to the FAQ, this error related to this issue: “This indicates that you have not yet submitted your research application for our review and have not passed the necessary approval evaluations.”

You cannot imagine how desperate we were to read such an error. We immediately sent an email to TikTok support on August 26, 2025. No response at all. One more reminder after two weeks on September 10, 2025. No response. After two additional weeks, on September 24, 2025, I desperately asked for ANY response.

Finally, the response arrived on September 30, 2025, saying: 

“It appears that you should only be authorised for access to our VCE (virtual compute environment) and not the Research API, which is why you may have encountered the error message regarding not having the scope required. Since you are applying from an institution that is a non-profit organisation rather than a university, this is currently the only access that we are able to provide.”

It is very unclear for us why we were told by the same TikTok team that we actually received VCE, when it did not work, it should be actually the Research API access instead of VCE and when it did not work neither, it is finally VCE instead of the Research API again. It is also unclear why it took an additional month to resolve the issue with non-working credentials. It 

While the last reply mentioned that the VCE is given to non-profit organizations and we acknowledge that this limitation is now mentioned in the application form, it was NOT there when we submitted our application the second time (in January 2025).

Also it is weird that their eligibility criteria clearly states that academic institutions are eligible for Research API, however, in their communication they consider universities as only eligible type of academic organizations (following this argument, our first application was declined and even appeal did not work that time). Practically, this narrow interpretation of academic organizations leaves out all independent non-profit research institutions, including our one, completely preventing them from obtaining access to the Research API.

In total, it took 21 months, from December 19, 2023 until September 30, 2025, to get the first working data access from TikTok. It was a long journey and we are quite sure that many researchers are not having sufficient time and resources to undergo it. Not speaking about the fact that when you finally get data access, it is not what you have asked for…

While I have sent one more email to the TikTok team, kindly asking for an explanation why they confirmed us to have the Research API access and denied it shortly afterwards, I do not believe this will start working soon. Instead, as of 29 October 2025, the Delegated act on data access under the Digital Services Act (DSA) entered into force and opened new data access possibilities for so-called vetted researchers. We now give our hopes to this EU legislation that can significantly strengthen the position of researchers in the uneven fight with social media platforms.