Access and refresh tokens for customers

I am working on a product using two legged authentication with the Android SDK. When a new user logs into my app I create a shadow customer via a POST request like

curl --location --request POST 'https://api.particle.io/v1/products/<product-id>/customers/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client-id>' \
--data-urlencode 'client_secret=<client-secret>' \
--data-urlencode 'email=<customer-email>' \
--data-urlencode 'no_password=true'

The response I get looks like

{
    "token_type": "bearer",
    "access_token": "<access-token>",
    "expires_in": 7776000,
    "refresh_token": "<refresh-token>",
    "scope": "customer=<customer-email>"
}

I am then saving <access-token> and <refresh-token> in my server and using those with the Android SDK as in

ParticleCloudSDK.getCloud().setAccessToken(<access-token>, Calendar.getInstance().add(Calendar.YEAR, 20).time, <refresh-token>)

This partially works. The access token for the first test account that I created (90 days ago) has now expired and I’m getting unauthorized access errors when I try to use the AndroidSDK to access that test customer’s devices. I noticed the Android SDK documentation says it will automatically renew an expired access token if a refresh token exists. I’m guessing that I would have to pass the actual expiration time to setAccessToken which I can do since it’s returned from the create customer POST request. Then how would I know that the access token has been refreshed and how would I access the new tokens from the Android SDK so that I can update my server with the new tokens?

Edit:

I see that I can refresh my customer’s token with

curl --location --request POST 'https://api.particle.io/oauth/token' \
--user <client-id>:<client-secret>\
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=<refresh-token>'

Do I have to manage this manually?