Credentials#

Skype for Web makes use of two types of credential: a Skype token (obtained through an authentication flow in exchange for a username and password) used by most of the meta endpoints, and a registration token (obtained using the Skype token) specifically for messaging interactions.

Unless otherwise noted, authentication is handled as follows:

  • APIs on client-s.gateway.messenger.live.com (or an alternative subdomain, see Registration token) require registration token authentication using the RegistrationToken header.

  • APIs on api.asm.skype.com take an Authorization header of the form skype_token <token>.

  • All other APIs take an X-SkypeToken header set to the Skype token.

Some of the known response codes related to authentication:

  • HTTP 429, error code 803: auth rate limit exceeded (-5 minute cooldown)

  • HTTP 404, error code 729: no endpoint created (need to refresh registration token)

Skype token#

Live authentication#

Authentication with either a Skype username or a Microsoft account requires calling out to the MS OAuth page, and retrieving the Skype token.

GET https://login.skype.com/login/oauth/microsoft#

This will redirect to login.live.com. Collect the value of the hidden field named PPFT.

Query Parameters:
  • client_id578134

  • redirect_urihttps://web.skype.com

Response Headers:
  • Cookie – contains MSPRequ and MSPOK, both required for the next step

POST https://login.live.com/ppsecure/post.srf#

If all is well, a hidden field with identifier t will contain a token for the last step.

Query Parameters:
  • wawsignin1.0

  • wpMBI_SSL

  • wreplyhttps://lw.skype.com/login/oauth/proxy?client_id=578134&site_name=lw.skype.com&redirect_uri=https%3A%2F%2Fweb.skype.com%2F

Request Headers:
  • Set-Cookie – include MSPRequ and MSPOK as obtained earlier, and CkTst with a timestamp in the standard format

Form Parameters:
  • login – Skype username or Microsoft account email address

  • passwd – corresponding account password

  • PPFT – as obtained from the hidden field

POST https://web.skype.com/login/microsoft#

The Skype token and expiry can be retrieved in the same fields as with a username/password login.

Query Parameters:
  • client_id578134

  • redirect_urihttps://web.skype.com

Form Parameters:
  • client_id578134

  • redirect_urihttps://web.skype.com

  • oauthPartner999

  • site_namelw.skype.com

  • t – as obtained earlier

SOAP authentication#

Authentication with a Microsoft account email address and password (or application-specific token), using an endpoint to obtain a security token, and exchanging that for a Skype token,

POST https://login.live.com/RST.srf#

This is an XML endpoint that will exchange a Microsoft account email address and password for a security token.

Request body:

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"
   xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
   xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
   xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
   xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL">
   <Header>
       <wsse:Security>
           <wsse:UsernameToken Id="user">
               <wsse:Username>...</wsse:Username>
               <wsse:Password>...</wsse:Password>
           </wsse:UsernameToken>
       </wsse:Security>
   </Header>
   <Body>
       <ps:RequestMultipleSecurityTokens Id="RSTS">
           <wst:RequestSecurityToken Id="RST0">
               <wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
               <wsp:AppliesTo>
                   <wsa:EndpointReference>
                       <wsa:Address>wl.skype.com</wsa:Address>
                   </wsa:EndpointReference>
               </wsp:AppliesTo>
               <wsse:PolicyReference URI="MBI_SSL"></wsse:PolicyReference>
           </wst:RequestSecurityToken>
       </ps:RequestMultipleSecurityTokens>
   </Body>
</Envelope>

Response body (token under BinarySecurityToken):

<?xml version="1.0" encoding="utf-8" ?>
<S:Envelope
    xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
    <S:Header></S:Header>
    <S:Body>
        <wst:RequestSecurityTokenResponseCollection
            xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
            xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
            xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
            xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
            <wst:RequestSecurityTokenResponse>
                <wst:TokenType>urn:passport:compact</wst:TokenType>
                <wsp:AppliesTo
                    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
                    <wsa:EndpointReference>
                        <wsa:Address>wl.skype.com</wsa:Address>
                    </wsa:EndpointReference>
                </wsp:AppliesTo>
                <wst:LifeTime>
                    <wsu:Created>2021-01-01T12:00:00Z</wsu:Created>
                    <wsu:Expires>2021-01-02T12:00:00Z</wsu:Expires>
                </wst:LifeTime>
                <wst:RequestedSecurityToken>
                    <wsse:BinarySecurityToken Id="Compact0">...</wsse:BinarySecurityToken>
                </wst:RequestedSecurityToken>
                <wst:RequestedTokenReference>
                    <wsse:KeyIdentifier ValueType="urn:passport:compact"></wsse:KeyIdentifier>
                    <wsse:Reference URI="#Compact0"></wsse:Reference>
                </wst:RequestedTokenReference>
            </wst:RequestSecurityTokenResponse>
        </wst:RequestSecurityTokenResponseCollection>
    </S:Body>
</S:Envelope>
POST https://edge.skype.com/rps/v1/rps/skypetoken#

Convert the Microsoft security token into a Skype token.

Request JSON Object:
  • partner999

  • scopesclient

  • access_token – token from above

Response JSON Object:
  • skypetoken – resulting Skype token

  • skypeid – username of the authenticated user

  • signinname – identifier of the linked Microsoft account

  • expiresIn – number of seconds until the token expires

Guest access#

Skype also supports the notion of a guest, who can access a conversation from an invite, without a Skype account.

A guest account differs from regular accounts in that:

  • They can only access a single group conversation.

  • Their username is prefixed with guest:.

  • They have no profile information, just a display name.

  • They expire after 24 hours.

GET https://join.skype.com/(string: id)#
Parameters:
  • id – public join URL code

Request Headers:
  • User-Agent – must be set to that of a supported device, e.g. Chrome

Response Headers:
  • Set-Cookie – CSRF token in csrf_token, request identifier in launcher_session_id

POST https://join.skype.com/api/v1/users/guests#
Request Headers:
  • csrf_token – as above

  • X-Skype-Request-Id – session identifier from above

Request JSON Object:
  • flowId – session identifier from above

  • shortId – public join URL code

  • longId – identifier retrieved from join.skype.com URL lookup

  • threadId – chat identifier (19:<random>@thread.skype)

  • name – guest display name

Response Headers:
  • Set-Cookie – token cookie named guest_token_<thread> containing the new token

Registration token#

POST https://client-s.gateway.messenger.live.com/v1/users/ME/endpoints#

Note

A JSON object must be provided in the body of the request, even if empty.

The non-standard header LockAndKey is required, and has the following format:

appId=msmsgs@msnmsgr.com; time=<timestamp>; lockAndKeyResponse=...

Here, time is a UNIX timestamp in the same format as before. The actual response must be generated through some Skype-specific crypto – see skpy.conn.getMac256Hash() for the algorithm.

In some cases, a call to this endpoint will return a Location header pointing to a different subdomain (e.g. https://db1-client-s.gateway.messenger.live.com. In this case, repeat the call using the new URL. You should use this domain in place of the default one for all other gateway calls.

Request Headers:
  • Authentication – Skype token in the form skypetoken=<token>

  • LockAndKey – key response as above

Response Headers:
  • Location – URL to newly generated endpoint, or to required subdomain

  • Set-RegistrationToken – token response in the form registrationToken=<token>; expires=<timestamp>; endpointId=<id>