You could also store them temporarily in the user's session or permanently in the database. There's also a framework for storing and accessing external accounts data. We mostly use it for storing external authentication keys and associated data.
In the visitor_setup event listener function I have:
public static function visitor_setup(XenForo_Visitor &$visitor)
$visitor["api_token"] = "abc123";
On our wordpress side of the site I have:
$visitor = XenForo_Visitor::getInstance()->toArray();
I log into XenForo and browse to wordpress side of our site and the var_dump doesn't have the "api_token" or it's value. So I'm missing something or it's not getting saved. A var_dump in the XenForo function shows it (of course).
If that code is being used on the WordPress side, I would guess that whatever is talking to XF from that side isn't initialising the complete set of XF dependencies, some of which would be initialising the various code event listeners.