One point to be aware is that unless you enable access token blacklisting, the existing logged in device will not get logged out until it refreshes its session - which will happen depending on the configured access token's lifetime (which is 1 hour by default)