Yes, external authentication tokens are associated to the room (they carry the user role in a particular room / account) so you do need to generate differerent tokens for different rooms (but you can use the same user id for all rooms, since it does refer to the same user moving between rooms)
The proper way to manage the session objects would be to cache the session object and use the server-to-server notification mechanism to get the event that a room has terminated (and invalidate the session object there). This way you minimize the access to our server.
If you are not using the notification services, you can cache the session for a reasonable amount of time that you think a room may be open (10 minutes, or whatever you think is appropriate) and then request a new session. If the room didn't end we'll send the same "secret" again. If the room ended (and restarted or has not restarted yet) we'll generate a new "secret".
Right now there isn't an easy way to check server-side if the session is still valid (short of calling getSession at every request) but I'll try to address this problem in a future release.