The Auth::guard()->logout() seems to do nothing! It doesn't invalidate the token, the token still can be used in further requests. Passing true to it doesn't make a difference. How does the blacklist work? Couldn't find any documentation about it.

Can you please help me on how can the user actually be logged out as soon as he still has the token? Doesn't it require a database table or session storage to create blacklist of tokens? Where do we define it?

I had to set JWT_SHOW_BLACKLIST_EXCEPTION=true in my .env file to prevent old tokens being accepted after logging out.