With JWT, you can have an expiration database, something like an in-memory redis instance or memcached can also work... the jti (token identifier) can be added with a timeout of the token's expiration, so that on request, you can check to see if the token was revoked. You also get the added advantage of not having to query user/role tables or systems on requests, or maintain a state server at all. If you have short lived tokens with a refresh cycle you may not need a "logout" at all.