Refresh tokens don’t seem to be the solution if you care about the changes you make being instant, you probably don’t want an user to access moderation tools for some time if you revoke his permissions.
What you could do is keep a version number in the jwt token relative to the user, much like how mongoose does it with it’s versionKey. By doing this, you would be able to check this version against the one in the database for a given user. Each time you change the roles of this user, you would increment this version, if the version of the jwt doesn’t match, just recreate a new one with the correct roles and version and send it back to the user.
I don’t believe there is a proper standard for this, as jwt is immutable by design, you’ll have to change it entirely if you need to “update” it.