> as a general question: how are jwts invalidated in supertokens? We have access token blacklisting as a feature. Essentially, when this is switched on, we extract the session ID from the access token (JWT), and check if that ID is in the db or not. If the session is removed, that ID will not be in the db.