I'm building a mobile app and am using JWT for authentication.
It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.
Below are the steps to do revoke your JWT access token:
Please let me know if you need more details, I can share the code (Java + Spring boot) as well.
For your questions:
Q1: It's another JWT with fewer claims put in with long expiry time.
Q2: It won't be in a database. The backend will not store anywhere. They will just decrypt the token with private/public key and validate it with its expiry time also.
Q3: Yes, Correct