Also you're typically already looking up the user so you can just add a token_version property on the user and increment it when you want to expire tokens for that user. JWT problem solved without any additional work for the db.