— Even if you use a library, it can't protect you from misusing it
— Wat? That defeats the purpose
— It's the only way to "revoke" tokens
— Then in addition you can run randomized GC on the table to clear out expired tokens
— So you actually store tokens
— If you need a DB you can just avoid jwt entirely and use normal stateful sessions
— You have to store them to "revoke" them, yes
— Otherwise, there is no way to stop an attacker from using the token
— You should detect CSRF attempt and blacklist the jwt