Assuming the token was not leaked then only the client application has knowledge of the token which would mean removing it from storage could be enough because now no one has knowledge of the token. If you’re worried about the possibility of someone else having access to the token then that’s a different problem altogether as you would likely need a way yo revoke/blacklist the token and also detect malicious usage (the revoke functionality could then also be used at logout as an extra precaution).