The JWT spec provides the jti field as a way to prevent replay attacks. That being said tokens return by Auth0 currently (we are thinking abut adding it in the future) don't return a jti, but basically you would just blacklist the jti to prevent a token being used more than X times (X being 1 in ...