is your token a jwt token? If yes, yes there is a better way. You might want to directly use sessions to save only a session token on the client and send this though each request that needs them

I tried that, but what should i do if the token is compromised

when you are using sessions (with session token) what I recommend in your case, then you can simply delete the session and the user is unauthorized again

But what if someone was able to copy that session data on the client? If I delete it a third actor could still use it

on the client the session id is encrypted (normally, I don't know how you exnrypt it). Also the session token is saved on the client and also saved on the server (inside DB).

So you client contains for example: session_123456 as session token

And your database contains for example: user: 'user_123456', session: 'session_123456'.

So if you now delete the session from the DB ("revoke access") and the client tries to make a request with their session token, there won't be any matching session inside the database and the client is like that unauthorized

So I again have to make a db call in every request right?

yes. When you using only JWT (fully saved on the client for a specific time) you won't be able to revoke the access

Ok so I guess i'll stick with my method

u r using session tokens rn, right?

Im using opaque tokens stored in a db right now

But I cache them in a map so that I don't have to make calls every time