Invalidate session user after logout

How do I invalidate my user in my api after he has a new token? it has an access token and regardless of the time it expires, if an attacker obtains this token he will get data from the api, for example: 1 minute, he would be able to do many things in 1 minute.
I want to know how to invalidate the user in my api regardless of the token expiring but after he requests a new token. Should I use blacklist?