It really depends on what you app does and who it serves. Is it a private app or a public app?

In any use case, if you want the user to login just once and use your app forever, then you must keep the access token and the refresh token of each user and keep the refresh token valid as long as the user stay logged in. By default, a refresh token will expire after 7 days. And you will get a new refresh token every time you use it to get a new access token, and the expiration time will be set again for 7 days. Thus, you have to keep the entire tokens returned from the platform and set a timer to automatically refresh the tokens if the user or your app stays idle for more than 6 days.

To your other question about either using a super admin extension token or each individual extension token. It depends on what your app is doing. If you only need to read e.g. the call log or the message store of each user extension, then login with a super admin user credentials to read data of other extension is enough, provided that you have your own way to recognize which user extension to read. But if you want to control calls or you want to send SMS from a particular user extension, then you must use the access token of that user extension to perform the operation. In other words, a super admin cannot perform certain operations on behalf of other user extensions.