The main problem is where to store the token. If its stored in state, it will go away at each refresh / new page and the user will need to write it again. If its stored on the user item, op can see the value and use it to unsalt any value.
It can get really complex really fast, especially if he chooses to include the users password into the mix.
He can make roadblocks that makes it difficult for himself to get the salt, e.g. the value can be stored with a expiration that the code checks before un-salting any data. But that is still a roadblock put there by himself that he can remove if inconvenient. Also you have logged data that might slip up etc.
There is no easy solution, security is hard