Here’s a simple approach:

• Basic auth via a custom header, like X-Auth
• JWT auth on Authorization header
• uuid on the JWT (as a claim) that gets stored temporarily (until it expires) to allow the server to revoke the token

Initial request -> server looks for Authorization header, falls back to X-Auth header -> generates JWT and sends back to client in Authorization header (or whatever makes sense)

Subsequent request -> server looks for Authorization header -> checks JWT against revocation database/table and that it isn’t expired

Subsequent request with expired token -> server returns 401, client retries using X-Auth header -> server sends back JWT on Authorization header -> client updates locally-stored JWT for future requests

There are probably ways to make this more standard or optimal, but this is a simple approach.