Correct, whenever the user access token dies, you can auto fetch a new access token using the refresh token
Correct!
Yup, that is pretty standard when it comes to oAuth.
- Get permission from the end user once.
- Then you run using the token till it dies
- Refresh that token using the refresh token
- store the new access token (and new refresh token if one is provided)
- And use the new token
I store mine in a database generally, and I fetch/save as needed rather than hard coding it