Can't get statetoken (always null)

I’m trying to implement change password method and I need to set statetoken, but it always comes null when the user logs in

I took this example used for testing (, where the statetoken could not be empty, but it is not what happens…

I think it’d make sense if you try to check underlying APIs. If you would, you won’t be masking your session token :smiley: State token will be present in the situation, where user’s password got expired and user can’t just log into Okta, but rather change password flow is initiated, presenting your with a state token to continue a flow when you submit new password request. Here is a diagram describing the process

thank you @phi1ipp for all your help,
my problem is that i can’t get statetoken to reset the password with trusted application,
so how to obtain statetoken for this password reset? I’ve tried to set it but I can’t get it to work at all …
do you have any example i can follow?

But for trusted application you can use SSWS token to just issue set password operation. Why do you need a token?

@GuilhermeO Please refer the example of Forgot password with trusted application.

You can use SSWS token in the POST request.
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" \
-H "X-Forwarded-For:" \
-d '{
  "username": "",
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"

As for your question about how to obtain a state token, 
like @phi1ipp mentioned, you can just use SSWS token. 
If you have interest, you can take a look of the video which includes a way to get state token (at 7'52'')