So when logging out, we clear the cookies on the frontend & revoke the session from the DB. In this case, if the JWT access token was previously saved manually by the user, they will still be able to access the APIs. That's why it's recommended to keep them as short lived as possible. We also have access token blacklisting, which will instantly revoke the JWT. However, there you loose the performance benefit of session verification.