#HTTP POST REQUEST USES OLD TOKEN?

I am currently working on a backend which has a rest api, one of the services adds an activtiy to the db. I used postman to test and it worked and now i clicked on the old postman file again as I needed some more Activity objects and it got added even though there is no Token(its custom made tokens and they should get always sent in the header but its empty) does it use some old cookies from the csrftokens or what happens here I am confused.

Also the same for another get method, again no Token Header added but still works?

are you using DRF? if so how did you set your DEFAULT_AUTHENTICATION_CLASSES

Yes drf and I dont use any auth classes from django we use an own System

Have you checked if django is setting cookies? Session auth is the default authentication, so if you ar sending session cookie with your requests then it wouuld make sense that your requests are passing

Token being sent do your server doesn't matter unless you have set TokenAuth as your authentication method

My own Model has a Token entity. Without it nothing happens, yet some old token in the header still gets sent and a user gets created. Django is setting cookies, that csrftoken but nothing else. Could it be that the old header simply gets somehow saved?