JWT and other token authentication mechanisms do not have the concept of logout.
However one can implement such a mechanism with the expense of having to keep track of revoked tokens.
To do this say for JWT or OAuth the minimum you need is a table either nosql, sql, redis with the following info:
{token, expiration_date}
Now every time there is a request you must first verify if the token is present on that table:
if yes then you refuse the request with 401 else continue with normal jwt validatio which may lead again to a 401/403
When a user does logout:
insert the token and its expiration date into the table.
System maintenance, you need a cron job to clean tokens that expiration date is in the past or use something like:
redis expireat:
http://redis.io/commands/EXPIREAT mongo ttl indexes:
http://docs.mongodb.org/manual/tutorial/expire-data/for SQL you might want some cron job with a trigger...