Importing Client Sessions
Export the authenticated client session, send it to your backend over HTTPS, then import it into a freshParaServer instance for the request.
Client-Side Session Export
UsewaitAndExportSession() after the user authenticates:
waitAndExportSession() waits until the SDK has reached an authenticated state before reading session data. Use it for handoff flows immediately after login.Server-Side Session Import
Import the serialized session before running user-authenticated operations:keepSessionAlive() extends the active imported session according to the API key’s configured session length. It returns false if the session cannot be extended.Handling Multiple User Sessions
Each exported session belongs to one authenticated user. Import each session into its ownParaServer instance when your backend handles multiple users or parallel requests:
Session Validation
You can validate sessions on the server side to ensure they’re still active before performing operations.Using the Para Client
Using JWT Authentication
Once a user is signed in, you can request a Para JWT token. This token will provide attestations for the user’s ID, their identity, and any wallets they have provisioned via your application. To request a token, use theissueJwt method. The method returns the token itself as well as the JWKS key ID (kid) for the keypair that signed it.
The token’s expiry will be determined by your customized session length, or else will default to 30 minutes. Issuing a token, like most authenticated API operations, will also renew and extend the session for that duration.
| Environment | JWKS URL |
|---|---|
| BETA | https://api.beta.getpara.com/.well-known/jwks.json |
| PROD | https://api.getpara.com/.well-known/jwks.json |
Using Verification Tokens
For non-Node.js servers or scenarios where you only need to validate a session without importing it, Para provides dedicated verification endpoints:Use your Secret API Key from the Developer Portal to authenticate requests to the verification endpoints. This key is different from the public-facing API Key used in the Para client.
| Environment | Verification URL |
|---|---|
| BETA | https://api.beta.getpara.com/sessions/verify |
| PROD | https://api.getpara.com/sessions/verify |
Session Management
Maintaining Session Validity
To extend the validity of the session imported into the currentParaServer instance, call keepSessionAlive():
Session length is configured per API key in the or CLI. The Para API enforces that duration, and
keepSessionAlive() extends the active session according to the configured value.refreshSession() starts a login or refresh flow and returns a login URL. For imported server sessions, use keepSessionAlive() to extend the active session.Best Practices
- Create a fresh server instance per session: Initialize a new Para Server SDK instance for each imported user session or request.
- Secure session transport: Always use HTTPS when transferring sessions between client and server. Do not log serialized sessions.
-
Export signer data only when needed: Use
{ excludeSigners: true }only when the server does not need to sign. - Validate before operations: Check that the imported session is active before performing authenticated operations.
- Handle expiration explicitly: If the session is expired or cannot be extended, ask the client to authenticate again and export a new session.
- Use verification tokens for auth-only checks: When you only need to verify who the user is, use verification tokens instead of importing a full session.
- Configure session length intentionally: Set the API key’s session length in the Developer Portal or CLI based on your application’s security model.
Verifying Wallet Ownership
To verify that a wallet address matches one of your users’ embedded wallets, you can send a request to one of the following endpoints:| Environment | URL |
|---|---|
| BETA | https://api.beta.getpara.com/wallets/verify |
| PROD | https://api.getpara.com/wallets/verify |
Use your Secret API Key from the Developer Portal to authenticate requests to this endpoint. This key is different from the public-facing API Key used in the Para client.
Node.js