I want to generate a single time use token(jwt) in order to append it to my custom reset password URL.
If you have your mind set that it needs to be a JWT, a common approach for handling single use is to include a claim in the token that uniquely identifies that token instance. Each time a token is used the claim value is checked against a blacklist and if not present the action is allowed and the value added to the blacklist to prevent subsequent use.
The blacklist would only contain the values associated with tokens that still haven’t expired so this way you could prune the blacklist from time to time in order to not grow continuously.
Thanks for the response @jmangelo. No, It’s not necessarily to be a JWT. Basically, I want to achieve a similar kind of functionality that a change password ticket provides in auth0.
Please let me know If there is some other way around. Your response is valuable here