Currently the only way to invalidate a JWT granting limited-lifetime access to certain resources is to rotate the HMAC signature secret, which will in fact invalidate all tokens. There should probably be a more fine-grained way of doing this, though since tokens are relatively short-lived (1 hour currently, we might want to decrease that) it's probably ok for now.
Implementing this will require some level of server-side state (a collection of invalidated tokens) which is counter to the stateless nature of tokens to begin with.
Currently the only way to invalidate a JWT granting limited-lifetime access to certain resources is to rotate the HMAC signature secret, which will in fact invalidate all tokens. There should probably be a more fine-grained way of doing this, though since tokens are relatively short-lived (1 hour currently, we might want to decrease that) it's probably ok for now.