Using Tokens and Refrash Tokens

Hey guys, I have a strong question about the use of tokens for data consumption in an Api. I know how it works to receive a token and use it in requests. The user logs in, and along with the response comes a token, which will be stored in the local storage and sent along with the requests to the server for interaction with the database, in the case of a CRUD. My doubts are: do all tokens last for one hour? When it expires, do I need to log in again, or does the token reframe pass me a new token? (Note: I do not understand what this token refraction is and I do not know how long it lasts (I think it should be an hour, but I'm not sure), and when it expires, I do not know what happens.) Does anyone know how the tokens system works using Firebase auth? If the user changes their data, such as change of email or password, is a new token generated? (I saw this somewhere, but I do not know if it's the database access token for a CRUD or the application access token we got when we created the account). What security features should I adopt in order for my token to be secure? In case I am using Firebase for authentication, database and hosting, does it make sense to use their tokens system or create one with passport-jwt? Thanks for the attention.