I have an existing, working Django application that implements numerous Django-REST-framework APIs. I've just added user authentication with Django-rest-framework-JWT and now I'm trying to learn it up. I have verified that it does issue me a token if I do the following curl:

curl -X POST -d "username=myuser&password=mypassword" http://localhost:3050/api-token-auth/

But I have a series of questions that I don't see being addressed in the documents. Please answer the following questions:

1. How do I invalidate the token using curl? I need to do so when the user logs out.
2. Where are these tokens stored in the DB? After implementing django-rest-framework-jwt, I don't see any new tables in my Django Admin interface
3. I would like to allow my users to login with their usernames or their emails. So I would like to wrap the api-token-auth endpoint in a custom endpoint that checks if the given string is an email or username. If email, I will lookup the username. Then call the api-token-auth. How should that endpoint look? I don't know how to wrap this api-token-auth method.

1. When using JWT for authentication you'd usually store the token in the browser's localstorage or sessionstorage. To logout you just remove the token. There's nothing else to invalidate.
2. One of the benefits of using this kind of approach for authentication is that tokens are not persisted in the database, so you don't have to query a session store for anything when authenticating.
3. This should be possible with a custom Django Authentication Backend as well.