There is a nice article on Auth0 about
Blacklisting JSON Web Token API Keys where they give a good real world example on how to blacklist a JWT API key so it is no longer valid. You should give it a read.
Framing the problem
Providing support for blacklisting JWTs poses the following questions:
- How are JWTs individually identified?
- Who should be able to revoke JWTs?
- How are tokens revoked?
- How do we avoid adding overhead?
This blog post aims to answer the previous questions by leveraging our
experience from implementing this feature in our API v2.
The article breaks down each point and then shows some example code on how to achieve it and concludes with:
Most of the aforementioned content applies to blacklisting JWTs in
general, not just JWT API keys.
Hopefully this blog post has provided some useful ideas on how to
tackle this problem.
I've personally applied similar methodologies to revoke multiple sign ins where the tokens were used similarly to session ids and stored in cookies. I modeled it like the GitHub profile section where you the user can see all your other active sessions and revoke them (remote sign out) when needed.
As far as best practice is concerned, I believe that topic would be rather opinion based. I do however see Auth0 as source of good practices in this topis area with a lot of people experienced on the matter.
UPDATE:
Found this express-jwt plugin for token blacklisting on npm
