How are sessions handled with Magic?

There are multiple ways to handle sessions with Magic. Relying on Magic for session management, or Relying on your backend for session management.

Relying on Magic for session management

When a user logs in, they create a new session that is valid for 7 days. Unless the user explicitly logs out, they won’t have to log in again for 7 days. This is not customizable by developers.

As a developer, call isLoggedin() to check if the user is authenticated with Magic on your application. (link)

Relying on your backend for session management

If you have a backend, you can manage user sessions with either cookies or by relying on the DID token Magic provides.

Cookies

After a user authenticates, they will create two sessions, one with your app (first party), one with Magic (third party). You will rely on your first party session, managed by having your server issue a cookie to each user once they successfully login. The cookie can contain user-specific data allowing you to tell who makes each request. The cookie should be encrypted before it’s set inside the client, and decrypted by your backend on each request so you can read from it. With this setup, Magic only serves as the authentication layer.

DID Tokens

When a user logs into your app, call getIdToken(lifespan: 9999) and pass in the lifespan argument to get a unique DID token. The lifespan parameter will set the expiration date of the DID token to that many milliseconds in the future. On each request to the server, validate the DID token to know if they are authorized. (link)