Where would it do this lookup from? [..] the authentication flow won’t be stateless anymore, which was the main benefit of JWTs right?

The lookup would be against the database, as that is where the refresh tokens are stored, however this brings about what is meant by potentially losing the main benefit of JWTs.

Adding a “required” reference to a value stored in the database effectively functions like a cookie, but then again, refresh tokens indirectly function the same way to retrieve a token. However this reference is persisted in the database so the whole process doesn’t rely on a temporal session that may be lost if something happens to the server process itself.

I suppose this is a detail that may need to be overlooked if one hopes to authenticate via JWTs and have a surefire way of terminating a refresh token “session” and invalidating all issued JWTs that were created with that refresh token, instead of waiting for them to expire.

It’s up to you as to what you’d prefer to focus on.

With that said, if someone were to maliciously hijack your JWT somehow, it would be in their best interest to work quickly before the JWT expires…