This methods seems a nice way to go https://auth0.com/blog/blacklist-json-web-token-api-keys/ but I guess it means fidling with the framework's internals.