There are a couple of ways to secure your API using Magic:

You can generate a DID token client-side using magic's getIdToken sdk method. Then send that in the authorization header to your API, where you'll call our validate(didToken) function on the token generated client-side. By default the tokens are valid for 15 minutes but you can pass in a lifespan parameter to set any expiration date you'd like.

Manage your own sessions by issuing a cookie/JWT after a user completes a login. Verify the cookie/ JWT on each request to the server since your server will have signed the token with a secret. If you have any questions, please refer to this detailed explanation:
Was this article helpful?
Thank you!