It’s pretty simple to check a JWT’s issued time again a timestamp representing the last time an account changed password / revoked all sessions.