#Where should I set antiCSRFToken to call Blitz API with external app

Hello, I need an API for my Blitz app. I can't quite figure out this tutorial: https://blitzjs.com/docs/session-management#manual-api-requests

Where exactly should I set antiCSRFToken? What is the variable "header"? External apps should be able to send an arbitrary string to a backend route of my app without authentication.

I created a file "app/core/mutations/myRequest.ts" with this content:

`import { resolver } from "@blitzjs/rpc"
import { Ctx } from "blitz".

export default resolver.pipe(
async (request: string, ctx: Ctx) => {
await processRequest(request)
return { status: "done" }
}
)`

However, when I send a post request to http://localhost:3000/api/rpc/myRequest with postman I get this error:

{ "name": "CSRFTokenMismatchError", "statusCode": 401 }

Maybe this can help you https://blitzjs.com/docs/session-management#manual-api-requests

I just sreached for csrf in the docs

This is the tutorial I already read and linked in my question. It was not very helpful for me. I don't know what the header variable is and where I should put the code.

Aj sorry. Si you create a csrf token first and then you send it in the header: anti-csrf

Does that make sense?

How do I access the header variable?

Depends, how are you calling your api.

I'm using a blitz mutation as described in the example in my question.

With curl it would be with a flag - H

Do you mean I have to generate an antiCSRFToken with getAntiCSRFToken(), console.log it and that set it in my curl request?

If I execute the getAntiCSRFToken message in my mutation I get a ReferenceError: localStorage is not defined

I wonder why would localstorage be accessed

The token is generated on server side. So it should not give this message

I can send the request with postman with an anti csrf token copied from a cookie in the browser. My question is how I can disable anti csrf token for this API route

Easy answer would be don't check Auth.

Ok, it can be disabled with DANGEROUSLY_DISABLE_CSRF_PROTECTION=true for all routes. But it doesn't feel like the correct way. Do I have to disable csrf protection to enable external applications to call my api?

How do I do that?

a simple api endpoint?

import db from "db"
import { NextApiRequest, NextApiResponse } from "next"

const apiEndpointFunction = async (req: NextApiRequest, res: NextApiResponse) => {
  
const someId: number = parseInt(req.query.someId as string)
  if (!someId) {
    res.json({ msg: "missing someId" })
  }
  res.status(200).json({msg:"hello"})
}

export default apiEndpointFunction

place it in pages/api/myEndpoint.ts