TikTok shipped an MCP server: 3 guardrails to add before your agent spends $500

On May 14, 2026, TikTok released an MCP server that lets AI agents create campaigns, set budgets, swap creatives, and pull reporting through standard Model Context Protocol tool calls. Claude, Cursor, and any MCP-capable client can now run ad spend through a structured tool interface instead of a media-buyer's dashboard.

That is powerful. It is also a corporate card with a chat interface. The first agent that misreads a brief can burn your quarterly budget on a lookalike landing page before the next standup. The fix is not "do not give agents the keys." The fix is a guardrail layer that sits between the agent and the TikTok MCP server, enforces budget caps, validates URLs, and scans audience uploads for restricted PII.

Here is what to install, three checks worth running before any tool call reaches TikTok, and a drop-in 30-line guard you can wire into Claude Desktop or Cursor today.

Install the TikTok MCP server next to a validation server

Pair the TikTok MCP server with the Botoi MCP server in the same client config. The agent gets access to both tool surfaces and can call phishing, PII, and breach checks before it touches the ad platform. Drop this into claude_desktop_config.json (or the equivalent for Cursor and Windsurf):

{
  "mcpServers": {
    "tiktok-ads": {
      "command": "npx",
      "args": ["-y", "@tiktok/mcp-server-ads"],
      "env": {
        "TIKTOK_ACCESS_TOKEN": "act.YOUR_LONG_LIVED_TOKEN",
        "TIKTOK_ADVERTISER_ID": "7012345678901234567"
      }
    },
    "botoi": {
      "command": "npx",
      "args": ["-y", "@botoi/mcp"],
      "env": {
        "BOTOI_API_KEY": "bo_live_..."
      }
    }
  }
}

The TikTok server needs a long-lived access token from the TikTok for Business app dashboard with the ad-management scopes. The Botoi server only needs a free API key. With both mounted, the agent sees campaign tools and validation tools in the same context.

Guardrail 1: cap daily spend at the gateway

Agents optimize what they can measure. If they can spend, they will spend. Enforce a hard daily cap at the gateway layer so a budget instruction parsed as "set daily budget to 30000" instead of "$300 over 0 days" never reaches TikTok.

Track cumulative budget per agent session in a small KV store keyed by the conversation ID. Reject any create_campaign or set_budget tool call that would push the session total past your cap. Return an error string the agent can read and recover from.

Guardrail 2: phishing check every landing page

A lookalike domain like acme-deals.shop instead of acme.com is the most common way an agent ends up paying for fraud. TikTok will accept the URL; your guardrail should not. One call to the phishing endpoint returns a verdict and a score:

curl -X POST https://api.botoi.com/v1/phishing/check \
  -H "Content-Type: application/json" \
  -d '{"url": "https://acme-deals.shop/promo-2026"}'

{
  "data": {
    "url": "https://acme-deals.shop/promo-2026",
    "verdict": "suspicious",
    "score": 0.78,
    "signals": [
      "domain_age_days: 4",
      "lookalike_to: acme.com",
      "no_https_redirect"
    ]
  }
}

Block any tool call whose landing_url returns anything other than clean. Surface the signals (domain age, lookalike match, missing HTTPS redirect) so the agent can suggest a verified alternative rather than failing silently.

Guardrail 3: scan custom audience uploads for restricted PII

Custom audiences are where compliance breaks. An agent that helpfully pastes your CRM export into upload_custom_audience can ship SSNs or credit card numbers to TikTok in a single tool call. Run the CSV through PII detection first:

curl -X POST https://api.botoi.com/v1/pii/detect \
  -H "Content-Type: application/json" \
  -d '{"text": "name,email,phone,ssn\nJane Doe,jane@acme.com,+14155552671,123-45-6789"}'

{
  "data": {
    "found": true,
    "matches": [
      { "type": "email", "value": "jane@acme.com" },
      { "type": "phone", "value": "+14155552671" },
      { "type": "ssn", "value": "123-45-6789" }
    ]
  }
}

Configure the guard to allow emails and phones (those are legitimate audience identifiers) and reject SSNs, credit cards, government IDs, and bank account numbers. The error message tells the agent which fields to strip and re-upload.

The 30-line guard, end to end

All three checks fit in a single middleware function. Run it on every tool call before forwarding to the TikTok MCP transport. Errors bubble back to the agent as readable strings; allowed calls pass through unmodified.

// Sits between the agent and the TikTok MCP server.
// Runs three checks before forwarding a tool call.
import { spawn } from "node:child_process";

const DAILY_CAP_USD = 500;
let spentToday = 0;

export async function guard(toolCall) {
  // 1. Budget cap
  if (toolCall.name === "set_budget" || toolCall.name === "create_campaign") {
    const proposed = toolCall.arguments.daily_budget_usd ?? 0;
    if (spentToday + proposed > DAILY_CAP_USD) {
      return { error: `cap exceeded: ${spentToday + proposed} > ${DAILY_CAP_USD}` };
    }
    spentToday += proposed;
  }

  // 2. Landing URL phishing check
  if (toolCall.arguments?.landing_url) {
    const r = await fetch("https://api.botoi.com/v1/phishing/check", {
      method: "POST",
      headers: { "Content-Type": "application/json", "X-API-Key": process.env.BOTOI_API_KEY },
      body: JSON.stringify({ url: toolCall.arguments.landing_url }),
    });
    const { data } = await r.json();
    if (data.verdict !== "clean") {
      return { error: `landing url flagged: ${data.verdict} (${data.score})` };
    }
  }

  // 3. Audience CSV PII scan
  if (toolCall.name === "upload_custom_audience" && toolCall.arguments.csv) {
    const r = await fetch("https://api.botoi.com/v1/pii/detect", {
      method: "POST",
      headers: { "Content-Type": "application/json", "X-API-Key": process.env.BOTOI_API_KEY },
      body: JSON.stringify({ text: toolCall.arguments.csv }),
    });
    const { data } = await r.json();
    const flagged = data.matches?.filter((m) => m.type === "ssn" || m.type === "credit_card");
    if (flagged?.length) {
      return { error: `audience CSV contains ${flagged.length} restricted PII fields` };
    }
  }

  return null; // allow
}

Wire this into your MCP gateway (or a simple proxy server if you do not have one yet). The first guardrail call costs you nothing; the first prevented mistake covers a year of botoi free-tier usage many times over.

What a guarded session looks like

With the guard in place, an agent that tries to launch with a suspicious landing page reasons about the verdict and proposes a fix instead of burning spend:

User: Launch a TikTok campaign for our Memorial Day promo.
  Budget $300/day, target US 18-34, creative is the 15s product reel,
  landing page acme-deals.shop/promo-2026.

Agent (tool call): phishing.check { url: "acme-deals.shop/promo-2026" }
Agent (sees verdict): suspicious; score 0.78; domain 4 days old
Agent: I will not launch with that landing page. Suggest using
  acme.com/promo-2026 (verified 5 years, https, matches your brand).
  Want me to proceed with that swap?

The agent kept the campaign idea, swapped the landing page, and asked for approval. That is the pattern you want: fast execution on the safe path, a graceful pause on the risky one. The guardrails turn the agent from an autonomous spender into a junior buyer with a checklist.

Where this fits versus AP2 and AgentCore Payments

TikTok MCP, AP2, and Bedrock AgentCore Payments solve different layers of the same agent economy. Use the right one for the job:

Surface	Scope	When to reach for it
TikTok MCP	One platform, agent-driven ad ops	Campaign creation, creative swaps, in-platform reporting
AP2 protocol	Cross-merchant agent payment intents	Agent buys from a counterparty that supports AP2
AgentCore Payments	AWS-native settlement for agent flows	You already live in Bedrock and want managed payment rails

For now, TikTok MCP is the most prescriptive: a single platform with a defined tool surface and a defined money rail (TikTok charges your business account). Guardrails are easier to write against a narrow surface, so this is a good first place to let agents touch real spend.

Key takeaways

• TikTok MCP is live. Agents can run campaigns end to end via standard tool calls. Add it to your Claude or Cursor config and it shows up alongside your other servers.
• Cap spend at the gateway. A per-session daily cap stops a parsed-wrong budget from reaching the platform. Enforce it in your proxy, not in the prompt.
• Phishing-check every landing URL. Lookalike domains are the most common fraud vector. One API call per campaign is cheap insurance.
• Scan audience CSVs for restricted PII. Allow emails and phones; block SSNs, cards, and IDs. Let the agent recover by stripping fields and retrying.
• Treat agents like fast junior buyers. Fast on the safe path, paused on the risky one. Guardrails make that pattern the default, not the exception.

Botoi exposes /v1/phishing/check, /v1/pii/detect, /v1/breach/check, and roughly 200 more single-purpose endpoints behind one API key with 5 req/min free. Wire them into your MCP gateway directly, or mount the botoi MCP server next to TikTok in Claude Desktop and let the agent call them itself. Start at the interactive docs.