Once you receive the access token, it’s up to you to persist it – that might mean you have a login system on your site, and you’ve associated that access token with their login information. If you don’t have a login system on your site, then your ability to identify the end user is a bit more temporal. While you would never want to store an access token and access token secret in a session cookie, you might want to use it as a pointer to where to find it for the “current user” in your database.
If you don’t have any kind of persistence layer on your side, you’re going to have to use the OAuth flow to re-negotiate and identify the token each time.
