@User , maybe you missed this:
> One point to be aware is that unless you enable access token blacklisting, the existing logged in device will not get logged out until it refreshes its session - which will happen depending on the configured access token's lifetime (which is 1 hour by default)
Would this be OK?