CSRF is typically not so much of an issue for api applications. Csrf happens because the browser submits cookies in the request sometimes without the user’s knowledge. In the case of apis Csrf can only happen when there’s a misconfigured frontend or if the api leverages cookies (which is not typical)