Credentials¶
Skype for Web makes use of two types of credential: a Skype token (obtained through an authentication flow in exchange for a username and password) used by most of the meta endpoints, and a registration token (obtained using the Skype token) specifically for messaging interactions.
Unless otherwise noted, authentication is handled as follows:
APIs on
client-s.gateway.messenger.live.com(or an alternative subdomain, see Registration token) require registration token authentication using theRegistrationTokenheader.APIs on
api.asm.skype.comtake anAuthorizationheader of the formskype_token <token>.All other APIs take an
X-SkypeTokenheader set to the Skype token.
Some of the known response codes related to authentication:
HTTP 429, error code 803: auth rate limit exceeded (-5 minute cooldown)
HTTP 404, error code 729: no endpoint created (need to refresh registration token)
Skype token¶
Live authentication¶
Authentication with either a Skype username or a Microsoft account requires calling out to the MS OAuth page, and retrieving the Skype token.
- GET https://login.skype.com/login/oauth/microsoft¶
This will redirect to
login.live.com. Collect the value of the hidden field namedPPFT.- Query Parameters:
client_id –
578134redirect_uri –
https://web.skype.com
- Response Headers:
Cookie – contains
MSPRequandMSPOK, both required for the next step
- POST https://login.live.com/ppsecure/post.srf¶
If all is well, a hidden field with identifier
twill contain a token for the last step.- Query Parameters:
wa –
wsignin1.0wp –
MBI_SSLwreply –
https://lw.skype.com/login/oauth/proxy?client_id=578134&site_name=lw.skype.com&redirect_uri=https%3A%2F%2Fweb.skype.com%2F
- Request Headers:
Set-Cookie – include
MSPRequandMSPOKas obtained earlier, andCkTstwith a timestamp in the standard format
- Form Parameters:
login – Skype username or Microsoft account email address
passwd – corresponding account password
PPFT – as obtained from the hidden field
- POST https://web.skype.com/login/microsoft¶
The Skype token and expiry can be retrieved in the same fields as with a username/password login.
- Query Parameters:
client_id –
578134redirect_uri –
https://web.skype.com
- Form Parameters:
client_id –
578134redirect_uri –
https://web.skype.comoauthPartner –
999site_name –
lw.skype.comt – as obtained earlier
SOAP authentication¶
Authentication with a Microsoft account email address and password (or application-specific token), using an endpoint to obtain a security token, and exchanging that for a Skype token,
- POST https://login.live.com/RST.srf¶
This is an XML endpoint that will exchange a Microsoft account email address and password for a security token.
Request body:
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL"> <Header> <wsse:Security> <wsse:UsernameToken Id="user"> <wsse:Username>...</wsse:Username> <wsse:Password>...</wsse:Password> </wsse:UsernameToken> </wsse:Security> </Header> <Body> <ps:RequestMultipleSecurityTokens Id="RSTS"> <wst:RequestSecurityToken Id="RST0"> <wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType> <wsp:AppliesTo> <wsa:EndpointReference> <wsa:Address>wl.skype.com</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wsse:PolicyReference URI="MBI_SSL"></wsse:PolicyReference> </wst:RequestSecurityToken> </ps:RequestMultipleSecurityTokens> </Body> </Envelope>
Response body (token under
BinarySecurityToken):<?xml version="1.0" encoding="utf-8" ?> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> <S:Header></S:Header> <S:Body> <wst:RequestSecurityTokenResponseCollection xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"> <wst:RequestSecurityTokenResponse> <wst:TokenType>urn:passport:compact</wst:TokenType> <wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <wsa:EndpointReference> <wsa:Address>wl.skype.com</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:LifeTime> <wsu:Created>2021-01-01T12:00:00Z</wsu:Created> <wsu:Expires>2021-01-02T12:00:00Z</wsu:Expires> </wst:LifeTime> <wst:RequestedSecurityToken> <wsse:BinarySecurityToken Id="Compact0">...</wsse:BinarySecurityToken> </wst:RequestedSecurityToken> <wst:RequestedTokenReference> <wsse:KeyIdentifier ValueType="urn:passport:compact"></wsse:KeyIdentifier> <wsse:Reference URI="#Compact0"></wsse:Reference> </wst:RequestedTokenReference> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </S:Body> </S:Envelope>
- POST https://edge.skype.com/rps/v1/rps/skypetoken¶
Convert the Microsoft security token into a Skype token.
- Request JSON Object:
partner –
999scopes –
clientaccess_token – token from above
- Response JSON Object:
skypetoken – resulting Skype token
skypeid – username of the authenticated user
signinname – identifier of the linked Microsoft account
expiresIn – number of seconds until the token expires
Guest access¶
Skype also supports the notion of a guest, who can access a conversation from an invite, without a Skype account.
A guest account differs from regular accounts in that:
They can only access a single group conversation.
Their username is prefixed with
guest:.They have no profile information, just a display name.
They expire after 24 hours.
- GET https://join.skype.com/(string: id)¶
- Parameters:
id – public join URL code
- Request Headers:
User-Agent – must be set to that of a supported device, e.g. Chrome
- Response Headers:
Set-Cookie – CSRF token in
csrf_token, request identifier inlauncher_session_id
- POST https://join.skype.com/api/v1/users/guests¶
- Request Headers:
csrf_token – as above
X-Skype-Request-Id – session identifier from above
- Request JSON Object:
flowId – session identifier from above
shortId – public join URL code
longId – identifier retrieved from join.skype.com URL lookup
threadId – chat identifier (
19:<random>@thread.skype)name – guest display name
- Response Headers:
Set-Cookie – token cookie named
guest_token_<thread>containing the new token
Registration token¶
- POST https://client-s.gateway.messenger.live.com/v1/users/ME/endpoints¶
Note
A JSON object must be provided in the body of the request, even if empty.
The non-standard header
LockAndKeyis required, and has the following format:appId=msmsgs@msnmsgr.com; time=<timestamp>; lockAndKeyResponse=...
Here,
timeis a UNIX timestamp in the same format as before. The actual response must be generated through some Skype-specific crypto – seeskpy.conn.getMac256Hash()for the algorithm.In some cases, a call to this endpoint will return a
Locationheader pointing to a different subdomain (e.g.https://db1-client-s.gateway.messenger.live.com. In this case, repeat the call using the new URL. You should use this domain in place of the default one for all other gateway calls.- Request Headers:
Authentication – Skype token in the form
skypetoken=<token>LockAndKey – key response as above
- Response Headers:
Location – URL to newly generated endpoint, or to required subdomain
Set-RegistrationToken – token response in the form
registrationToken=<token>; expires=<timestamp>; endpointId=<id>