diff --git a/backend/src/controllers/permissionsController.js b/backend/src/controllers/permissionsController.js
index 403fc7c..7906b26 100644
--- a/backend/src/controllers/permissionsController.js
+++ b/backend/src/controllers/permissionsController.js
@@ -138,13 +138,18 @@ function setUserPermission(req, res) {
 function resetUserPermissions(req, res) {
   const uid = Number(req.params.id);
   const { permission } = req.body; // optional: reset one key
-  if (permission) {
-    db.prepare(
-      'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?'
-    ).run(uid, permission);
-  } else {
-    db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid);
-  }
+  db.transaction(() => {
+    if (permission) {
+      db.prepare(
+        'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?'
+      ).run(uid, permission);
+    } else {
+      db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid);
+    }
+    // Bump token_version so the user's JWT picks up the new effective permissions
+    // immediately (could be a downgrade if override was =1 and role default is =0).
+    db.prepare('UPDATE users SET token_version = token_version + 1 WHERE id = ?').run(uid);
+  })();
   audit(req, 'permission.user_reset', `user:${uid}`, permission || null);
   res.json({ ok: true });
 }