I am about to start using Google's Calendar API where I am asking an access to my user's calendar. In the php docs example the token is being stored in a file (token.json), but in my case each user can have an access token, so I am thinking to store it in user's database table.
Access tokens expire in an hour. There is no reason to store the access token in your database. What you should be storing is your refresh token. The refresh token can be used by your application to request a new access token as it needs.
Recommend storing the contents of token.json as its easer to feed the php client library that object. By replacing file_get_contents($tokenPath)
with something like reading from your database.
Storing tokens in the database is standard prosedure. It should be safe. Anyone that hacks your database would need your client id and client secret to request a new access token using the refresh tokens stored there.
You can but TBH I don't bother.