the state can help it so the server does not need to store the state of the message-to-be-signed, since it can be verified via it being an HMAC string (if they chose to use it).
also to note, since the state is an arbitrary string that should not be modified by the client, they can also pass any other data if they want. HMAC was more of just an example of something to pass which can be used for extra verification/validation if the api provider wants to use it
1 Like