Create a token, put your userId in it, set an expiry date.
If a request comes with a token check if token is valid, check the userId & expiry date otherwise throw error.