User logout

Users who log in using JWT are given access and refresh tokens. They have to use the access token whenever they make requests to protected resources. When it expires, they can renew it using the refresh token. To log out a user in our system, we must ensure that the JWTs they possess cannot get used for accessing the protected resources. However, we can still provide users with new JWTs if they log in again.

We can accomplish that by reducing the expiration time of an access token and blocklisting the refresh token. Blocklisting is adding the token to a list of unusable tokens. That makes it impossible for users to request a new access token using their current refresh token.

Note: We use the term “blocklisting,” but the Simple JWT package below uses “blacklisting.” These terms mean the same thing.

Get hands-on with 1400+ tech skills courses.