Hey @Jautomatic , the {state} parameter is connected to the {nonce} value that is set up when requesting access scopes like this:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options={access_mode}
The initial GET request to your app that’s triggered when a merchant installs the app before the OAuth processing begins on your end does only require the shop, timestamp and hmac params.
The [nonce] value itself is set up through a redirection URL provided by you to the merchant through a 3xx redirect. More information on this here. You can set the {nonce} value to anything you’d like - your app just verifies this value matches the one you provided during the redirect in order to authorize the app on the merchant’s store. I’d also recommend taking a look at our libraries here. We maintain official API libraries for Node.js, PHP and Ruby which include OAuth processes out of the box. There are also a few other third party libraries for other languages out there that may include this functionality.
Hope this helps!