Manage client sessions in server-side environments with Para Server SDK
Para’s Server SDK enables you to import and manage client-side sessions within your server environment. This allows your server to perform authenticated blockchain operations on behalf of users without requiring them to re-authenticate. The server can also validate existing client sessions using either the Para client or dedicated verification endpoints.
First, have your client-side application export the active session:
Copy
Ask AI
// Client-sideconst para = new Para(Environment.BETA, "YOUR_API_KEY");// Export the current sessionconst serializedSession = await para.exportSession();// Send this to your server endpointawait fetch("/api/import-session", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ session: serializedSession }),});
If signing on the server isn’t required, you can pass { excludeSigners: true } as an argument to exportSession to remove the signer data from the exported wallets, enhancing security:
On your server, import the session into a Para Server SDK instance:
Copy
Ask AI
import { Para as ParaServer, Environment } from "@getpara/server-sdk@alpha";// Initialize the Para Server SDKconst paraServer = new ParaServer(Environment.BETA, "YOUR_API_KEY");app.post("/api/import-session", async (req, res) => { try { // Import the session from the client await paraServer.importSession(req.body.session); // Now you can use the paraServer instance for authenticated operations // ... res.status(200).json({ success: true }); } catch (error) { res.status(500).json({ error: "Failed to import session" }); }});
Create a new Para client instance for each request when handling multiple users. This prevents session conflicts between different users’ requests and ensures security isolation.
Once a user is signed in, you can request a Para JWT token. This token will provide attestations for the user’s ID, their identity, and any wallets they have provisioned via your application.
To request a token, use the issueJwt method. The method returns the token itself as well as the JWKS key ID (kid) for the keypair that signed it.
The token’s expiry will be determined by your customized session length, or else will default to 30 minutes. Issuing a token, like most authenticated API operations, will also renew and extend the session for that duration.
Depending on the user in question, a decoded token payload might resemble the following:
For non-Node.js servers or scenarios where you only need to validate a session without importing it, Para provides dedicated verification endpoints:
Copy
Ask AI
// Client-side: Get a verification tokenconst verificationToken = await para.getVerificationToken();// Send to your serverawait fetch("/api/verify-session", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ verificationToken }),});
On your server, verify the token against Para’s API.
Use your Secret API Key from the Developer Portal to authenticate requests to the verification endpoints. This key is different from the public-facing API Key used in the Para client.
To extend the validity of an imported session, you can use the keepSessionAlive method:
Copy
Ask AI
try { const success = await paraServer.keepSessionAlive(); if (!success) { // Session couldn't be extended // The client may need to re-authenticate }} catch (error) { console.error("Failed to maintain session:", error);}
You can configure session duration (up to 30 days) in the . This affects how long sessions remain valid without explicit extension.
To verify that a wallet address matches one of your users’ embedded wallets, you can send a request to one of the following endpoints:
Environment
URL
SANDBOX
https://api.sandbox.getpara.com/wallets/verify
BETA
https://api.beta.getpara.com/wallets/verify
PROD
https://api.getpara.com/wallets/verify
Use your Secret API Key from the Developer Portal to authenticate requests to this endpoint. This key is different from the public-facing API Key used in the Para client.
Pass the address for the wallet in the POST request body:
Node.js
Copy
Ask AI
// Server-side verificationapp.post("/api/verify-wallet", async (req, res) => { const { address } = req.body; if (!address) { return res.status(400).json({ error: "Missing address" }); } // Set the correct URL based on your environment const verifyUrl = "https://api.beta.getpara.com/wallets/verify"; try { const response = await fetch(verifyUrl, { method: "POST", headers: { "content-type": "application/json", "x-external-api-key": "YOUR_SECRET_API_KEY" }, body: JSON.stringify({ address }), }); // No matching wallet found if (response.status === 404) { return res.status(404).json({ error: `Wallet not found with address: ${address}` }); } const { walletId } = await response.json(); // Return the matched wallet ID: res.status(200).json({ walletId }); } catch (error) { res.status(500).json({ error: "Verification failed" }); }});
To learn more about using sessions on the server, check out this example. Each example route will have both pregen and session based routes for you to test with.
