"Long-lived token" means API tokens for the management API (creating/ deleting zones, listing them, automating via Terraform-style flows), not the TSIG keys for actual DNS updates. Every zone on every tier gets its TSIG key — that's what powers the updates themselves. Free tier manages zones via the dashboard; paid tiers add API tokens for programmatic management.

So no. the auth token is just for the API and can be used as a bearer for the api, the TSIG are always valid unless the domain is deleted

the free tier allows for 5 zones and all get individual tsig keys and they are always active. no need to pay unless you start handling 100s of new zones, updates, delete etc. so there is a split between the two types of tokens. hope it is clear