Yes, correct, sorry for my missunderstanding, I saw many code-bases that save tokens in httpOnly cookies and then send it to the frontend to be kept in memory so I assumed that was what you meant 
. ( These approaches do make sense, they essentially do that to avoid keeping the secret in plain cookies/localstorage since in memory is still much better than those but you will lose it upon refresh)
Yes! Roles are documents, just like everything in the database so you can Get() them For example, the following will get all your roles:
Map(Paginate(Roles()),
Lambda(['ref'], Get(Var('ref'))))
No at this point you simply get ‘unauthorized’ if you try to use it and do something.
You could however if you want something like that take the Session approach where you actually store documents yourself for a ‘session’. For example:
You can easily add a ‘valid_until’ or calculate on the fly whether the ts is still valid on such a document. In your roles you could fetch the session via Identity(), verify whether it is still valid and then get the actual account (since we keep a reference in the session) to continue your business logic.