In Magento 2.4.8, JWT tokens are generated after a customer logs in using the REST API. A customer can log in from multiple browsers or devices, which creates multiple JWT tokens.
However, when any one token is revoked, Magento revokes all tokens associated with that customer. This happens because Magento revokes tokens based on the customer_id, not on the individual token value. As a result, logging out or revoking a token invalidates all active sessions for that customer across all browsers and devices.
This behavior is by design in Magento and ensures customer-wide security rather than per-device session management.
Is this correct, or any have an idea about this?