The device could refresh its own token as needed, but this would require the firmware to contain Obihai's oauth2 client-id and secret with Google, which would be a questionable design decision. (Those credentials are disposable, and should be disposed of, when there's suspicion of compromise.)
In other words, it's likely that the devices rely on the provisioning server to provide updated access tokens either on a regular basis or as needed. A network capture would easily confirm or refute.