Is the anti CSRF token not required for authentication?

[mkondel]

I am able to make API requests by providing only the Session Token. Is this working as intended? The docs clearly want me to use the anti CSRF tokens, for example here: https://blitzjs.com/docs/session-management#manual-api-requests.

Please have a look at the demo repo below. It's just a bare blitz app with one api route created. A test script with CURL is included in the repo under try/. I saved the Sqlite db with the user and session, so the script should just work OOTB.

https://github.com/mkondel/api-auth-test

[beerose]

I think it's working fine because you're using CURL, and you'd need the Anti-CSRF token when making a request from another domain (e.g. client/mobile app).