[azimuth11]

Auth0 is not a bad option.

For JWT to support revocation, you must store them in the database and delete them on logout or when they expire.

[nerdwaller]

To clarify for JWT invalidation, you don’t have to store the whole token. Instead just store the jti or some other identifying field that can be checked.

[etherealkatana]

Can you please elaborate on this?

[geezerjay]

The JWT specification defines a payload attribute named jti which is used to store the token's nonce/id.

To avoid replay attacks, the backend adds the token's nonce to a scratchpad memory when the token is used in order to invalidate the token even if the expiration timestamp isn't reached.

If a JWT implementation is implemented to ignore replay attacks or even token expiration, the jti can still be used to invalidate tokens.