Everything I’ve seen, including this Community topic, indicates that there is no standard nor Auth0-specific way to invalidate an access token. The accepted manner of dealing with a logout event is to build a token blacklist into my API.
My question, then: Is this still the preferred way of handling this scenario? (Asking for a manager )
Yes, access tokens are stateless and are valid until expiration. You can do things to alleviate this concern, like shortening the lifetime of the tokens and refreshing more often with silent auth or a revokable refresh token.