How are you handling required state tokens for 0Auth2.0 requests to prevent CSRF?

Quickbooks requires a state field with a token in their token request to prevent csrf and I’m wondering if there is a method that you all recommend? Does retool have a state env variable that I could reference when making API requests that require a key value pair?