The device token should be de-registered from your server when a user logs out and should be a random string. You should maintain a server database of device installs which get associated with accounts and device tokens. That way, if you want to send a push notification to user X, and that user has 3 devices that all have your app installed, your server will send 3 separate push notifications to all of the user's devices. This also let's the user customize which devices receive push notifications from your app and which ones don't.
On my servers, here is how it works.
1. Some action occurs that causes my server to want to send a push notification to some user.
2. My server performs a query of the DeviceInstalls collection/table for any rows that have the userID of this given userID. If we find multiple entries it means the user has installed the app on multiple devices.
3. It pulls the "pushToken" property from all the rows and sends the push notification to all of them. Note: on each row there is also an "apnsEnabled" Boolean property. My server will only send a push notification if this property is set to TRUE.
If the user were ever to sign out or disable push notifications on one of their devices, it would call a deregisterPushNotifications endpoint on my backend which would search the DB for this device ID and would switch the apnsEnabled property to FALSE.