I have a web Api built with .net core 2.0 and a mobile app built with xamarin. To login the mobile app make a call to the web api by passing (username and password). If the credentials are valid web Api provide back a JWT token. The mobile app has a feature that keep the user logged in even when you close the app, like (facebook, Instagram etc...).
The question are these:
How to keep the JWT token valid until the user is logged-In in the app without ask him/her again the login credentials to give him/her another valid JWT token?
You can set a token expiry date and keep track of that.
How to make the JWT token invalid after the user decide to logout from the app?
Update:
The JWT consists of the Header, Payload and Signature. You can read all about it here In the payload you can set an claim called: "exp".
The docs: The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
Also, while researching to clarify my answer I found this SO answer: JSON Web Token expiration.