Let's say I give a randomly generated state string to a twitch OAuth process, so that when the process is done, twitch can give this string back to me via the callback redirect, to prevent CSRF attacks.

What would be the best way to store that state, so that I can verify it agains the one twitch gives back? Is storing it in a db (using supabase f.e.) the only way or is there a better way?