During some Oauth2 flows a state token is persisted to CTS and used to check the next request. This token has no expiration date and relies on the user coming back to the page/endpoint successfully for it to get deleted.
There is no guarantee that the last part of the flow will complete and in these cases the token will never be removed. Over time the system will accrue more and more of these tokens. They will not be cleaned up by the CTS reaper since they have no expiration date.
A typical token looks like this:
These tokens should be created with a short expiration date.