diff --git a/docs/schemes/oauth2.md b/docs/schemes/oauth2.md
index c713fa21f..5e21971d6 100644
--- a/docs/schemes/oauth2.md
+++ b/docs/schemes/oauth2.md
@@ -18,7 +18,8 @@ auth: {
       token_type: 'Bearer',
       redirect_uri: undefined,
       client_id: 'SET_ME',
-      token_key:  'access_token'
+      token_key:  'access_token',
+      state: 'UNIQUE_AND_NON_GUESSABLE'
     }
   }
 }
@@ -64,6 +65,11 @@ By default is set to `token_key: 'access_token'`. If you need to use the IdToken
 
 By default is set to `refresh_token_key: 'refresh_token'`. It automatically store the refresh_token, if it exists.
 
+### `state`
+
+By default is set to random generated string.  
+The primary reason for using the state parameter is to mitigate CSRF attacks. ([read more](https://auth0.com/docs/protocols/oauth2/oauth-state))
+
 ## Usage
 
 ```js
diff --git a/lib/schemes/oauth2.js b/lib/schemes/oauth2.js
index 6b292658f..8082e0786 100644
--- a/lib/schemes/oauth2.js
+++ b/lib/schemes/oauth2.js
@@ -70,8 +70,10 @@ export default class Oauth2Scheme {
       client_id: this.options.client_id,
       redirect_uri: this._redirectURI,
       scope: this._scope,
-      state: randomString()
-    }
+      // Note: The primary reason for using the state parameter is to mitigate CSRF attacks.
+      // @see: https://auth0.com/docs/protocols/oauth2/oauth-state
+      state: this.options.state || randomString(),
+    };
 
     if (this.options.audience) {
       opts.audience = this.options.audience