Techniques for securing a single page application (SPA) are provided. An API server that receives an API call from an SPA to navigate a first user to a first state of the SPA navigates the first user to the first state of the SPA and generates a first token indicating that the first user has accessed the first state of the SPA. When the API server receives a request from the first user to navigate to a second state of the SPA (the request including the first token), the API server verifies that the first token indicating that the first user has accessed the first state of the SPA is valid for the second state of the SPA before navigating the first user to the second state of the SPA. Additionally, the API server expires the first token upon navigating the first user to the second state of the SPA.