To answer your questions:
1) How do you handle a situation with a compromised token secret which is shared between a client and the server?
Add an expiry date to your token. Make the sure the token cannot be used after the expiry time. But this doesn't prevent unauthorized access within the token's expiry period.
So, to overcome this problem you can embed the client's IP address or other such information inside the token. And make sure the incoming request with the token is used from the same IP Address to which it was issued to.
2) Do you logout all your clients and define a new token secret for future requests? (that would be a bad experience)
If you mean using multiple tokens in a authorized manner. No. You can continue to use multiple tokens at the same time, provided you have a finite expiry period to the tokens. This make sure your token are used within the intended time window.
But, if you mean when the token is stolen and you somehow figured it out. Its better to invalidate all tokens to that user.
However, you make want to have a mechanism that will revoke all tokens explicitly in special cases. May be like when the user resets his password because he thinks his password may be compromised.
3) Is there a way to just logout the compromised client?
May be, depends on you ability to precisely identify which token has been compromised. Which may lead to all clients using that token to lose access. But, I wouldn't recommend it. But, hey you can always write code that will dynamically re-authenticate and get a new access token when it can no longer use the token. :-)
Don't be afraid to invalidate a token when necessary. If you loose a token write a dynamic script to re-authenticate. If you think you may loose the session details when you use new token, resend the expired token. Using this expired token you can reconstruct a new token with the old token's session details.