> If a client passes the credentials and has a valid token, then CSRF token should NOT be required.
The CSRF token isn't required if you're authenticated using a different scheme. > With the current behavior, one must either not log in through the same browser or delete the cookie which logs the user out anyways. We don't currently have any mechanism for a user to be authenticated with the browsable API other than session authentication. -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
