JWT have a default expire date of 30 days.
Currently there is no way to revoke a JWT without revoking all users by changing the JWT_SECRET and restarting the server (which makes the JWT invalid).
Beyond that you would need to introduce a JWT “whitelist” or “blacklist” which Strapi doesn’t offer natively (yet). Where when a new JWT is issued you add it to a “whitelist” and implement your own /auth/logout function to remove it from this list. Likewise it would probably be a good idea to check if an expired token is used it is automatically removed from the “whitelist”
A “blacklist” would be a bit easier to implement but could quite quickly run out of control without regularly cleaning.