Stop using JWT for session tokens
You've got a framework that gives you sessions, just use that.
This is a topic that’s been covered quite a bit, but again, stop using JWT for session tokens.
See http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/ for it’s fantastic graph, it’s initial writeup at http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/, or see Okta piling on slightly later back in 2017 at https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens.