Logging in

Microsoft account flow

Authentication with either a Skype username or a Microsoft account requires calling out to the MS OAuth page, and retrieving the Skype token.

This is used to obtain a registration token for the messaging APIs, but is also used as-is in user and static endpoints.

GET https://login.skype.com/login/oauth/microsoft

This will redirect to login.live.com. Collect the value of the hidden field named PPFT.

Query Parameters
  • client_id578134
  • redirect_urihttps://web.skype.com
Response Headers
  • Cookie – contains MSPRequ and MSPOK, both required for the next step
POST https://login.live.com/ppsecure/post.srf

If all is well, a hidden field with identifier t will contain a token for the last step.

Query Parameters
  • wawsignin1.0
  • wpMBI_SSL
  • wreplyhttps://lw.skype.com/login/oauth/proxy?client_id=578134&site_name=lw.skype.com&redirect_uri=https%3A%2F%2Fweb.skype.com%2F
Request Headers
  • Set-Cookie – include MSPRequ and MSPOK as obtained earlier, and CkTst with a timestamp in the standard format
Form Parameters
  • login – Skype username or Microsoft account email address
  • passwd – corresponding account password
  • PPFT – as obtained from the hidden field
POST https://web.skype.com/login/microsoft

The Skype token and expiry can be retrieved in the same fields as with a username/password login.

Query Parameters
  • client_id578134
  • redirect_urihttps://web.skype.com
Form Parameters
  • client_id578134
  • redirect_urihttps://web.skype.com
  • oauthPartner999
  • site_namelw.skype.com
  • t – as obtained earlier

Guest authentication

Skype also supports the notion of a guest, who can access a conversation from an invite, without a Skype account.

A guest account differs from regular accounts in that:

  • They can only access a single group conversation.
  • Their username is prefixed with guest:.
  • They have no profile information, just a display name.
  • They expire after 24 hours.
GET https://join.skype.com/(string: id)
  • id – public join URL code
Request Headers
  • User-Agent – must be set to that of a supported device, e.g. Chrome
Response Headers
  • Set-Cookie – CSRF token in csrf_token, request identifier in launcher_session_id
POST https://join.skype.com/api/v1/users/guests
Request Headers
  • csrf_token – as above
  • X-Skype-Request-Id – session identifier from above
Request JSON Object
  • flowId – session identifier from above
  • shortId – public join URL code
  • longId – identifier retrieved from join.skype.com URL lookup
  • threadId – chat identifier (19:<random>@thread.skype)
  • name – guest display name
Response Headers
  • Set-Cookie – token cookie named guest_token_<thread> containing the new token

Registration token

POST https://client-s.gateway.messenger.live.com/v1/users/ME/endpoints


A JSON object must be provided in the body of the request, even if empty.

The non-standard header LockAndKey is required, and has the following format:

appId=msmsgs@msnmsgr.com; time=<timestamp>; lockAndKeyResponse=...

Here, time is a UNIX timestamp in the same format as before. The actual response must be generated through some Skype-specific crypto – see skpy.conn.getMac256Hash() for the algorithm.

In some cases, a call to this endpoint will return a Location header pointing to a different subdomain (e.g. https://db1-client-s.gateway.messenger.live.com. In this case, repeat the call using the new URL. You should use this domain in place of the default one for all other gateway calls.

Request Headers
  • Authentication – Skype token in the form skypetoken=<token>
  • LockAndKey – key response as above
Response Headers
  • Location – URL to newly generated endpoint, or to required subdomain
  • Set-RegistrationToken – token response in the form registrationToken=<token>; expires=<timestamp>; endpointId=<id>