Logging in

Microsoft account flow

Authentication with either a Skype username or a Microsoft account requires calling out to the MS OAuth page, and retrieving the Skype token.

This is used to obtain a registration token for the messaging APIs, but is also used as-is in user and static endpoints.

GET https://login.skype.com/login/oauth/microsoft

This will redirect to login.live.com. Collect the value of the hidden field named PPFT.

Query Parameters
  • client_id -- 578134
  • redirect_uri -- https://web.skype.com
Response Headers
  • Cookie -- contains MSPRequ and MSPOK, both required for the next step
POST https://login.live.com/ppsecure/post.srf

If all is well, a hidden field with identifier t will contain a token for the last step.

Query Parameters
  • wa -- wsignin1.0
  • wp -- MBI_SSL
  • wreply -- https://lw.skype.com/login/oauth/proxy?client_id=578134&site_name=lw.skype.com&redirect_uri=https%3A%2F%2Fweb.skype.com%2F
Request Headers
  • Set-Cookie -- include MSPRequ and MSPOK as obtained earlier, and CkTst with a timestamp in the standard format
Form Parameters
  • login -- Skype username or Microsoft account email address
  • passwd -- corresponding account password
  • PPFT -- as obtained from the hidden field
POST https://web.skype.com/login/microsoft

The Skype token and expiry can be retrieved in the same fields as with a username/password login.

Query Parameters
  • client_id -- 578134
  • redirect_uri -- https://web.skype.com
Form Parameters
  • client_id -- 578134
  • redirect_uri -- https://web.skype.com
  • oauthPartner -- 999
  • site_name -- lw.skype.com
  • t -- as obtained earlier

Guest authentication

Skype also supports the notion of a guest, who can access a conversation from an invite, without a Skype account.

A guest account differs from regular accounts in that:

  • They can only access a single group conversation.
  • Their username is prefixed with guest:.
  • They have no profile information, just a display name.
  • They expire after 24 hours.
GET https://join.skype.com/(string: id)
Parameters
  • id -- public join URL code
Request Headers
  • User-Agent -- must be set to that of a supported device, e.g. Chrome
Response Headers
  • Set-Cookie -- CSRF token in csrf_token, request identifier in launcher_session_id
POST https://join.skype.com/api/v1/users/guests
Request Headers
  • csrf_token -- as above
  • X-Skype-Request-Id -- session identifier from above
Request JSON Object
  • flowId -- session identifier from above
  • shortId -- public join URL code
  • longId -- identifier retrieved from join.skype.com URL lookup
  • threadId -- chat identifier (19:<random>@thread.skype)
  • name -- guest display name
Response Headers
  • Set-Cookie -- token cookie named guest_token_<thread> containing the new token

Registration token

POST https://client-s.gateway.messenger.live.com/v1/users/ME/endpoints

Note

A JSON object must be provided in the body of the request, even if empty.

The non-standard header LockAndKey is required, and has the following format:

appId=msmsgs@msnmsgr.com; time=<timestamp>; lockAndKeyResponse=...

Here, time is a UNIX timestamp in the same format as before. The actual response must be generated through some Skype-specific crypto -- see skpy.conn.getMac256Hash() for the algorithm.

In some cases, a call to this endpoint will return a Location header pointing to a different subdomain (e.g. https://db1-client-s.gateway.messenger.live.com. In this case, repeat the call using the new URL. You should use this domain in place of the default one for all other gateway calls.

Request Headers
  • Authentication -- Skype token in the form skypetoken=<token>
  • LockAndKey -- key response as above
Response Headers
  • Location -- URL to newly generated endpoint, or to required subdomain
  • Set-RegistrationToken -- token response in the form registrationToken=<token>; expires=<timestamp>; endpointId=<id>