How can you provide a stateless logout (that invalidates credentials rather than simply forgetting them client side)?