There are a couple of ways to secure your API using Magic:
- You can generate a DID token client-side using magic's <getIdToken> sdk method. Then send that in the authorization header to your API, where you'll call our <validate(didToken)> function on the token generated client-side. By default the tokens are valid for 15 minutes but you can pass in a lifespan parameter to set any expiration date you'd like.
- Manage your own sessions by issuing a cookie/JWT after a user completes a login. Verify the cookie/ JWT on each request to the server since your server will have signed the token with a secret. If you have any questions, please refer to this detailed explanation: https://magic.link/posts/magic-jwt