Yes, you need to store tokens somewhere. For example if a user opts in for notifications, then store its token in a database and remove it when he opts out again.

The tokens don't change as long as the app isn't deleted and reinstalled. In that case a new token will be issued. It MIGHT be that a token expires if an app hasn't been connected to Firebase Cloud Messaging for a long time, but I am not sure about that.