What if at the same time this user installs app on the other device - should I store multiple tokens per user on the app server?

Yes. A user could have multiple devices, a case where Device Groups are commonly used.

If yes - that means there should be something like checking for which ones are expired?

If a token expires, a callback is triggered (onTokenRefresh() for Android), from where you'll have to send the new token to your App Server and delete the old one corresponding to the user/device.

Graykos, You can do sth like this:

each time a user login get a new token from google, and when logout delete that token. So if user login from multiple device/browser OR multiple user login from one device/browser one after the other, you can nicely handle all of that.

in this way "multiple user login from one device/browser one after the other", all of them have the same token (so delete and renew for each login)

As Andres SK mentioned in the first comment of your question, you can delete the token when failure happen (maybe the lost device that user cannot logout from).

I also came across the exact challenge and had to resolve to a solution: Storing each token for the user against the device id. It's interesting enough to know that this function in fact exists in the firebase messaging method. But more surprising is the fact that there's no documentation to handle such scenario. https://firebase.google.com/docs/reference/android/com/google/firebase/iid/FirebaseInstanceId.html#getId()

Summarily, while sending the new token to the server, also send along the device id returned by the getId() method and use it to enforce uniqueness of token per device.

And to also apply this solution while taking advantage of device grouping feature of FCM, you can make a server request on the FCM group, in order to delete the old token on that device-id before replacing it with the new.