Store revoked JWT IDs (jti) in Redis with a TTL equal to the token's remaining lifetime. In JwtStrategy.validate(), check Redis for the jti before trusting the token. Redis lookups are sub-millisecond — far cheaper than database queries. When the token expires naturally, the Redis key expires too, keeping the blacklist lean.
Include jti (JWT ID) in every token payload — use randomUUID() to generate a unique identifier.
TTL = token expiry - current time — the Redis key expires automatically when the token would have expired anyway.
Redis EXISTS is O(1) and sub-millisecond — negligible overhead compared to a database lookup.
This approach enables per-token revocation without invalidating all tokens for a user.
For revoking all tokens of a user at once, store a revocation timestamp per user and compare against iat.