Mark invalid tokens, store until their expiration time and check it in every request.
Blacklist breaks JWT statelessness because it requires maintaining the state. One of the benefits of JWT is no need server storage, so if you need to revoke tokens without waiting for the expiration, think also about the downside
The blacklist can be easily managed in your own service/database. The storage size probably would not be large because it is only needed to store tokens that were between logout and expiry time.
Include the full token or just the unique ID
jti. Set the
iat (issued at) to remove old tokens.
To revoke all tokens after updating critical data on user (password, permissions, etc) set a new entry with
currentTime - maxExpiryTime < last iss. The entry can be discarded when
currentTime - maxExpiryTime > lastModified (no more non-expired tokens sent).