Support server-side token invalidation?

Currently the only way to invalidate a JWT granting limited-lifetime access to certain resources is to rotate the HMAC signature secret, which will in fact invalidate all tokens.  There should probably be a more fine-grained way of doing this, though since tokens are relatively short-lived (1 hour currently, we might want to decrease that) it's probably ok for now.
