Skype for Web makes use of two types of credential: a Skype token (obtained through an authentication flow in exchange for a username and password) used by most of the meta endpoints, and a registration token (obtained using the Skype token) specifically for messaging interactions.

Unless otherwise noted, authentication is handled as follows:

  • APIs on (or an alternative subdomain, see Registration token) require registration token authentication using the RegistrationToken header.

  • APIs on take an Authorization header of the form skype_token <token>.

  • All other APIs take an X-SkypeToken header set to the Skype token.

Some of the known response codes related to authentication:

  • HTTP 429, error code 803: auth rate limit exceeded (-5 minute cooldown)

  • HTTP 404, error code 729: no endpoint created (need to refresh registration token)

Skype token#

Live authentication#

Authentication with either a Skype username or a Microsoft account requires calling out to the MS OAuth page, and retrieving the Skype token.


This will redirect to Collect the value of the hidden field named PPFT.

Query Parameters:
  • client_id578134

  • redirect_uri

Response Headers:
  • Cookie – contains MSPRequ and MSPOK, both required for the next step


If all is well, a hidden field with identifier t will contain a token for the last step.

Query Parameters:
  • wawsignin1.0

  • wpMBI_SSL

  • wreply

Request Headers:
  • Set-Cookie – include MSPRequ and MSPOK as obtained earlier, and CkTst with a timestamp in the standard format

Form Parameters:
  • login – Skype username or Microsoft account email address

  • passwd – corresponding account password

  • PPFT – as obtained from the hidden field


The Skype token and expiry can be retrieved in the same fields as with a username/password login.

Query Parameters:
  • client_id578134

  • redirect_uri

Form Parameters:
  • client_id578134

  • redirect_uri

  • oauthPartner999


  • t – as obtained earlier

SOAP authentication#

Authentication with a Microsoft account email address and password (or application-specific token), using an endpoint to obtain a security token, and exchanging that for a Skype token,


This is an XML endpoint that will exchange a Microsoft account email address and password for a security token.

Request body:

<Envelope xmlns=""
           <wsse:UsernameToken Id="user">
       <ps:RequestMultipleSecurityTokens Id="RSTS">
           <wst:RequestSecurityToken Id="RST0">
               <wsse:PolicyReference URI="MBI_SSL"></wsse:PolicyReference>

Response body (token under BinarySecurityToken):

<?xml version="1.0" encoding="utf-8" ?>
                    <wsse:BinarySecurityToken Id="Compact0">...</wsse:BinarySecurityToken>
                    <wsse:KeyIdentifier ValueType="urn:passport:compact"></wsse:KeyIdentifier>
                    <wsse:Reference URI="#Compact0"></wsse:Reference>

Convert the Microsoft security token into a Skype token.

Request JSON Object:
  • partner999

  • scopesclient

  • access_token – token from above

Response JSON Object:
  • skypetoken – resulting Skype token

  • skypeid – username of the authenticated user

  • signinname – identifier of the linked Microsoft account

  • expiresIn – number of seconds until the token expires

Guest access#

Skype also supports the notion of a guest, who can access a conversation from an invite, without a Skype account.

A guest account differs from regular accounts in that:

  • They can only access a single group conversation.

  • Their username is prefixed with guest:.

  • They have no profile information, just a display name.

  • They expire after 24 hours.

GET id)#
  • id – public join URL code

Request Headers:
  • User-Agent – must be set to that of a supported device, e.g. Chrome

Response Headers:
  • Set-Cookie – CSRF token in csrf_token, request identifier in launcher_session_id

Request Headers:
  • csrf_token – as above

  • X-Skype-Request-Id – session identifier from above

Request JSON Object:
  • flowId – session identifier from above

  • shortId – public join URL code

  • longId – identifier retrieved from URL lookup

  • threadId – chat identifier (19:<random>

  • name – guest display name

Response Headers:
  • Set-Cookie – token cookie named guest_token_<thread> containing the new token

Registration token#



A JSON object must be provided in the body of the request, even if empty.

The non-standard header LockAndKey is required, and has the following format:; time=<timestamp>; lockAndKeyResponse=...

Here, time is a UNIX timestamp in the same format as before. The actual response must be generated through some Skype-specific crypto – see skpy.conn.getMac256Hash() for the algorithm.

In some cases, a call to this endpoint will return a Location header pointing to a different subdomain (e.g. In this case, repeat the call using the new URL. You should use this domain in place of the default one for all other gateway calls.

Request Headers:
  • Authentication – Skype token in the form skypetoken=<token>

  • LockAndKey – key response as above

Response Headers:
  • Location – URL to newly generated endpoint, or to required subdomain

  • Set-RegistrationToken – token response in the form registrationToken=<token>; expires=<timestamp>; endpointId=<id>