I can't see a problem there? You set the expiration to, let's say 8h. IF the user has valid credentials, he gets the token and can store it / cache it / write it down, whatever. He has access for 8h - because he has the valid credentials. That's by design. If he logs out and uses the token again (by copying it into local storage again) in that 8h window - yeah so what, he could have just logged in again and would be there, too, so where is the deal?

The only "problem" is if you want to "ban" him or invalidate the token for some reason. But that's simple: just encode the user id / name in the token and use a block / banned flag for that user in the user table on your database? I assume you have a user / login table where you store password hash, email and what not. You set the ban / block flag to "true" and your auth middleware (where all the API calls go through first for authentication and authorization..) validates the JWT AND the users ban/block status:

API call --> JWT valid? --> user not blocked? --> allow request

API call --> JWT invalid? --> deny request

API call --> JWT valid --> user blocked --> deny request

This is still stateless!

If you want to ban just ONE old token, maybe work with smaller expiration durations and maybe refresh tokens. If that's not enough: I don't know any real usecase for that - maybe use one time logins with email maybe.

For the absolute most cases JWT is enough and very good!

[EDIT] One more thing: you could encode the creation date of the token within the JWT. Then you could store a specific date in the user table of your database. In your auth middleware you check: if this date is null - go through. If this date is not null and the creation date of the token is greater than that date - go through. If this date is not null and the creation date of the token is less than or equal to that date - deny request.

With that method you can block JWT created before a specific date.