@GuilhermeO Please refer the example of Forgot password with trusted application.
You can use SSWS token in the POST request.
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" \
-H "X-Forwarded-For: 23.235.46.133" \
-d '{
"username": "dade.murphy@example.com",
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"
As for your question about how to obtain a state token,
like @phi1ipp mentioned, you can just use SSWS token.
If you have interest, you can take a look of the video which includes a way to get state token (at 7'52'') https://www.youtube.com/watch?reload=9&v=EVL3gnt7BYo&ab_channel=OktaDev