According Matt Way answer in this post: Invalidating JSON Web Tokens
The #2 solution about using a Token Blacklist but I have a question that how server know exactly the old token and add it to the blacklist. For example: When I login, I receive the "ABCD" token from server, server does not keep this token in any place. Then I change password (or logout), server should send me a new token like "EFGH" and invalid the old "ABCD" (by adding "ABCD" to blacklist until it expired date) but the issue is how can server know "ABCD" old token to add to the blacklist?node.jsauthenticationjwtaccess-token
To perform actions related to an account, the JWT token generated at connection must be present in the Headers of the request (usually in the
It is the client that will store the token and send it whenever necessary to authenticate itself to the server.
It only remains for the server to retrieve the token present in the Headers to invalidate it and blacklist it when necessary.