How can I prevent the usage of old flask-jwt token when I change the password

This is a con of using stateless JWT tokens - you cannot explicitly revoke them.

The corresponding pro is that you do not have to contact external service in order to verify them.

We can build an additional security layer by storing all token in our DB. When validating token we can check this token is generated by our server itself or not by using this database table. Also we can revoke the token when user reset his password, by just deleting that token from DB.

It is important to keep in mind that (stateless) JWT tokens are invalidated ONLY when they expire or when the shared secret used for signing them changes.

So basically, the choices are:

• Use a database, as @savad-kp suggested, to keep a list of blacklisted/revoked tokens: This implies that you'll have to query it everytime you verify a token, which kind of undermines one the main benefits of using JWT tokens.
• Rely on short-lived access tokens: which implies that clients will need to reauthenticate frequently, which may be a no-go option specially for mobile devices and web apps.
• Use the token freshness pattern or some other custom variant:

[...] you can choose to mark some access tokens as fresh and others as non-fresh, and use the fresh_jwt_required decorator to only allow fresh tokens to access some endpoints.

This is useful for allowing fresh tokens to do some critical things (maybe change a password, or complete an online purchase), but to deny those features to non-fresh tokens (until they re-authenticate and get a new fresh token). Fresh tokens can lead to a more secure site, without creating a bad users experience by making users re-authenticate all the time.

I would also suggest using the flask-jwt-extended plugin instead of the flask-jwt one. It supports some common patterns out of the box (refresh tokens, token freshness) as well as blacklists and token revoking with a db.