A user logs in with a JWT, an admin revokes it mid-session, and the API must catch the revoked token using a denylist cache.
View interactive diagram