You could probably rotate the secret which would invalidate all existing sessions.

That would log out all users. That'd be pretty annoying.

That's a fancy feature. The article is all about sticking to what is simple and without fancy features

No, it's a necessary feature if your credentials get stolen, which wouldn't surprise me considering how many people just cram JWTs into local storage, which is not the same as a secure cookie and has weaker security. Either you're setting the expiry time real low (which still won't stop someone who has four minutes 59 seconds left to wreck your stuff, because computers are fast), or you're maintaining a blacklist, which means, congratulations, you've just reinvented overly-complicated session tokens.