How do I get a unique token for the state value?

The state is completely optional. It can be used to send data to Twitch which Twitch then passes back to your on authentication…

To auth:

  1. Send the user to
    https://api.twitch.tv/kraken/oauth2/authorize ?response_type=code &client_id=[your client ID] &redirect_uri=[your registered redirect URI] &scope=[space separated list of scopes]

swapping [your client ID] for your Client ID, [your registered redirect URI] for your Registered Redirect URI, and [space separated list of scopes] for the scopes you need

  1. User accepts the auth and gets redirected to [your registered redirect URI] THEN software on your URI grabs the [CODE] from the GET parameters and makes a POST request to exchange the [CODE] for an [user access token]

You are getting a 404 because you are getting not posting.

client_id=[your client ID] &client_secret=[your client secret] &grant_type=authorization_code &redirect_uri=[your registered redirect URI] &code=[code received from redirect URI] &state=[your provided unique token]

Is supposed to be in the POST body, you are GET’ing it instead.