You can implement your own refresh token logic.
If the jwt is expired you hit a custom endpoint to reauth it.
It expects the old token, and a refresh_token if they are valid you get new tokens back.
IF you want to log the user out, you can delete the cookie and also their validation tokens.