1. yes
2. the tokens are not stored in the backend SDK. They are simply attached to the response as cookies and the frontend stores them. The backend SDK only stores the public keys in memory to verify the access token.
3. To interact with the database, validate credentials, create / revoke tokens etc.
4. For session, it stores the session handle, and hashes of refresh token. Not the access token.