Server should provide two api endpoints, one accepts npub and should send the one time code as dm. The other one accepts the code and should either set a cookie, or return some payload identifying the session. Nostr-login will pass that payload with onAuth event so you could use it to make future api calls. Codes should be bound to npub and expire