# What if my authorization URL is dynamic?

Any dynamic values you need for your authorization process, can be passed through the process using the `state` parameter.

### Utilizing the state parameter
Whilst the primary reason for the state parameter is documented as [preventing CSRF](https://www.rfc-editor.org/rfc/rfc6749#section-10.12), it can also be used to add dynamic values to your OAuth flow, instead of using them directly in your `redirect_uri` value.

It is common for the parameter to be a JSON string, which is then encrypted using an algorithm, for example, SHA256:

```json
{
    "csrf": "random-string",
    "user_id": "1234-abcd",
    "redirect": "/settings/dashboard"
}```
In this case, `redirect_uri` value of

```
 https://example.com/oauth?userID=1234-abcd&redirect=$URL```
where `userID=1234-abcd` and `redirect` are dynamic values, will then become:

```
?redirect_uri=https://example.com/oauth&state=base64-SHA```
When you receive the request at the end of the OAuth process, the `state` parameter can be decrypted and the various values within it used as necessary. The encryption ensures that users cannot tamper with the contents and so you can be confident the values within it can be trusted.

You can learn more about the usage of a `state` parameter [here](https://auth0.com/docs/secure/attack-protection/state-parameters).

### Adding additional URIs for your application
We can add additional URIs to your applications allowed list upon request. To do this, please email these addresses, along with your `client_id`, to [support@cronofy.com](support@cronofy.com).


---
[Read in HTML](/developers/faqs/application-management/state-param/)