Based on the knowledge sources provided, there isn't explicit information about whether Kratos sends the state parameter when exchanging code for access token. However, we can infer some relevant information about the use of the state parameter in Ory's authentication flows: 1. The state parameter is an important security mechanism in OAuth 2.0 and OpenID Connect flows. It's used to maintain state between the authorization request and the callback, helping to prevent cross-site request forgery (CSRF) attacks [OAuth2 authorization code flow](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow). 2. In the context of social sign-in for native apps, Ory uses a similar mechanism called "session token exchange code" which serves a similar purpose to the state parameter [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps). 3. When initializing a login or registration flow, the native app receives the first part of the session token exchange code from Ory Network. After social sign-in, the user is redirected back to the app with the second part of the code [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps). 4. The native app then exchanges this session token exchange code for a session token, which is similar to exchanging an authorization code for an access token in OAuth 2.0 [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps). While these sources don't explicitly state whether Kratos sends the state parameter when exchanging code for access token, they suggest that Ory implements similar security measures. However, to give a definitive answer about Kratos' specific behavior, we would need more detailed information from the Kratos documentation or API reference, which is not present in the provided knowledge sources.