Essentially, when you login, an anti-csrf token is sent to the frontend and stored in the localstorage. On each request, our

fetch

interceptors add that token to the headers, which is then verified by the backend API.