On logout invalidate flask-JWT

Check flask-jwt-extended. It has support for blacklisting tokens built in to the extension (and is still actively supported, unlike flask jwt which has been abandoned).

https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/

JWT token system works in a way that you put USER identity (or related) data and token expiry param in generated token itself which is signed with a non-shared (secret) key.If you want to invalidate the token you need to blacklist the token in a table & check on views/routes or delete the token from client so that client needs to regenerate the token again.

NOTE: putting any constraints in the payloads itself is not a good idea, if you don't want the blacklisting method, use other token generating schemes like Hawk where the generated token is saved in DB/other storage solutions & on invalidate/logout it is deleted.

if you want to log out a user from all devices
1. keep a user-specific secret key in DB and use the secret key to create JWT token
2. Assign a new secret key for the user, which will in effect invalidate all JWT tokens send to user/clients.
3. This can be useful when the user changed his/her password

As it has already been answered blacklist is one of the basic ways to invalidate JWT tokens. However, it should be noted that the blacklisted tokens should be kept in DB or anywhere else until their expiry date unless you need to keep all tokens for some reason.

Also, it's important to make the time of validity of JWT token as short as possible so that in majority of the cases they will be quickly invalidated by the flask-jwt itself. For example, it might make sense to make expiry time for a token - 30 minutes like a session time-out for some web-sites (definitely not days and months etc).