The documentation doesn’t really clarify how to store the tokens because that is usually the developers job on how they handle tokens. Although they do specify a warning
Warning: Treat your token like a password. For example, never use access tokens in any public URL, and never display tokens on any web page without requiring a click to de-obfuscate. Keep tokens private!
So ultimately you can store them however you want. The security aspect depends on your knowledge of handling sensitive information. If there are no API calls being made client side but requests your server to make the request to the API for them, you can then make the request server side then send back the data to them. In this case, storing the tokens in a database or file wouldn’t hurt.
As long as the tokens don’t expire you can continue using them. Once they expire you will need to refresh them.
Hopefully I helped answer your question!