The JWT spec provides the jti field as a way to prevent replay attacks. That being said tokens return by Auth0 currently (we are thinking abut adding it in the future) don't return a jti, but basically you would just blacklist the jti to prevent a token being used more than X times (X being 1 in your case). You are kind of implementing a nonce (think of the token's signature as the nonce).
token放在https的header裡頭,免得被竊取