Laravel VueJS - How to handle api token and refresh token correctly?

Question

I built my Vue SPA app. The frontend and the backend are completely separate. So I don't use laravel's session auth, so I want to do the whole authentication with vue only and send the necessary data to the backend.

This question is only about basic understanding of how I should handle the two JWT tokens. So access_token and refresh_token

Now I have already integrated Laravel Passport and the most important auth functions into my own controller. I have the following methods:

register, login, logout and refreshToken method.

register() and login() return access/refresh token. logout() deletes the access tokens from the user and refreshToken() takes the refresh_token and gives me a new access_token and refresh_token. If I test the API with postman, it works. My access_token is valid for 30 min until it expires. Before that it should be renewed with the refresh_token or I can't access any secured auth:api routes.

Now to the basic understandin question.

1. Should I save the access_token and refresh_token to the localstorage? Right now I only save the access_token. Because I think, if a hacker get the access_token, it will be only be valid for some minutes. If he also got the refresh_token, he can renew the access_token how much he wants. So how to save the refresh_token?
2. How long should the refresh_token be valid if the access_token is 30 min? I did 60 minutes. But I don't really know if that makes sense at all
3. When should I use the refresh_token? If the access_token is valid, I can reach all protected api's. So I don't need the refresh_token at this time. So what if the access_token is no longer valid? Then I get an error in the frontend. Should I make a second API call directly, which tries to refresh the access_token? If it would work, I would have to do the original api query again. I think this is not a good solution. So maybe a middleware that renews the access_token on every protected api request ? But then I would have to overwrite the old access_token with the new one on every request. I think that's not how it should be?