#recommended way to handle logout

hi, im using a simple guard to handle authentication, but as far as i know, i cannot ""delete"" the token once its processed by the guard. what would be the best way to handle logout then? including a blacklist? thank you

If you're using tokens, and you need a way to ensure that someone has logged out, the token needs to live until the end of its lifespan in some sort of restrict list. You need to verify the incoming token is not on that list as well

If storing the token in cookies, is it possible to just remove the token from the cookies?

You should still invalidate the token in some sort of way, because if anyone were to get it and send it while it was still valid, by some sort of method, they could then impersonate the user

yeah, that's what i thought. so basically i need to create a sort of blacklist, because according to what i read, once the token has been signed, i can't unsign it

If you are looking to do a session management with tokens, you usually need two token types (access and refresh) and you whitelist tokens as being "ok" and remove them from the whitelist to revoke the user's access.