Passing state in auth flow

The documentation for /authorize indicates that the state is “A value to be returned in the token.” But the state appears not to actually be used by Okta except to include in the (unsigned) redirect. Is there a token somewhere that does include this state, or is the documentation in error?

(Was hoping the state was a tamper-proof message we could send between servers, but appears not to be?)

https://developer.okta.com/docs/api/resources/oidc/#request-parameters

From OAuth 2.0 RFC:

" state
RECOMMENDED. An opaque value used by the client to maintain
state between the request and callback. The authorization
server includes this value when redirecting the user-agent back
to the client. The parameter SHOULD be used for preventing
cross-site request forgery"

https://tools.ietf.org/html/rfc6749

Thank you, and you are correct. There are plenty of things in Okta that aren’t explicitly built in to rfc 6749 (heck, neither is OpenID) so I was specifically looking for clarification of the phrasing in Okta’s documentation.

(I should have left my parenthetical out so you wouldn’t have known I was trying to cheat.)