Welcome to the Auth0 Community!
Unfortunately, JWT access tokens cannot be revoked and are valid until they expire. Hence, the token can be used against the /userinfo
endpoint even though the user has already logged out.
In general, we recommend using short-lived access tokens to prevent token abuse/misuse.
I suggest referencing our Invalidating an Access Token after User Logout documentation for a detailed explanation.
Cheers,
Rueben