The app_id|app_secret
version always works (and is also how f.e. the PHP SDK creates an app access token internally).
does this token non-expired too?
And app access tokens do not have any expiry time, ever.
and why secret key changed when generated by above call??
The second part of that token is not the app_secret – the whole thing is simply an access token for your app, with your app_id as the first part. The second part is “random” (well, somehow calculated as a hash of whatever by FB, but none of your concern).
and can i use this generated token in client side call without any risk that if any hacker gets it, they can do no harm??
Of course not – it is an app access token, and can be used to do everything that can be done in the name of your app.
An app access token is never to be used in client-side code, no matter how it was obtained.