Can an existing connection's token capabilities be upgraded or downgraded?

Yes, this can be achieved by issuing a re-authentication request from the client, which will in turn obtain a new token and send that token to Ably using the existing realtime connection. The capabilities (permissions) specified in that token will be automatically applied.  

 

See the Recommendations for incrementally authorising new capabilities for more info.