Hey Martin,
Lots of questions here, but let's see if I can answer all of them for you.
ID tokens expire one hour after creation. You cannot change this expiration time. Under the hood, the client SDKs refresh the ID token using a long-lived token we call a refresh token. The refresh token is used to generate a new ID token every hour which allows the client SDKs to continue to work seamlessly. The refresh token allows the client to stay logged in indefinitely until you call signOut() or a session invalidation event like a change in password or email happens from another client device. You don't need to do anything to manage the ID token's lifecycle. The client SDKs do all of that for you. Whenever you need to use the ID token from your custom backend, send the current token along with the request from the client. I would not suggest persisting ID tokens on your server since their lifetime is so short.
Lastly, onAuthStateChanged() is called once upon page load and then every time an auth state event occurs. Auth state events include a sign in or a sign out. Technically, the client SDKs will also fire onAuthStateChanged() every time a new ID token is minted, but this may be changing in an upcoming release so I wouldn't rely too much on this behavior. Instead, I'd just call currentUser.getToken() whenever you need the latest fresh ID token. Every time the listener onAuthStateChanged() is called, it is passed the current Firebase user. If this is null, there is no logged-in user. Otherwise, there is a logged-in user.
Hope that helps,
Jacob