Push technologies

How are web push tokens added and removed with personal messages?

For example, there is OneSignal, but it doesn't matter (the same FireBase).
How to properly organize the work of personal notifications, how it works on Facebook.
The following key points are of interest:
1) how the token is usually transferred at the time of login.
2) how is the token usually erased at the moment of logout? And if the session just died. In the past, I remember most sites had a problem with such notifications. And Vkontakte and Sberbank online are no exceptions. Even Sberbank seems to still send push messages after exiting applications.
3) how to store all tokens of an individual user? at the backend level to store them and send them to users? What if there is a zoo of tokens? Can OneSignal check if a user has been active for 2-3 days?
4) How do you generally work with personal PUSH notifications in the WEB/App?
As I see it, correct me if I'm wrong;
1) The person logs in.
2) we request webpush notifications. if the user allows, then write the token to the database.
3) if necessary, we send a personal push to the user.
4) with the necessary logout, we send information that the token needs to be deleted.
5) but what if obsolete tokens are stored. Or is the client session closed, but the tokens are still active?