Is the above from a POST API? And is the anti-csrf token being sent in the request header (which should happen automatically)?