First of all, I'm still relatively new to the topic security and might not think of some aspects.
Recently, I've been working on an API with JWT authentication, but now I need to revoke the tokens on-demand instead of waiting until they expire themselves. Of course I should not save the tokens in the DB as it would be possible for everyone with access to the DB (currently only me) to login as any user. Therefore I thought of generating a random "secret" for every token and saving said "secret" in the token as well as the DB. If the "secret" can be found in the DB the token is still valid, otherwise the token will be rejected as invalid when attempting to use a protected API Route. Because of the storage overhead I thought of limiting the active sessions and therefore the stored secrets to about 10.
Now to the actual question: Is it secure to do so or are there any significant attack vectors connected to that approach (the secret is randomly generated and therefore doesn't contain sensitive data)? Or is there any better way not relying on expiration times?
