diff --git a/bp/auth/routes.py b/bp/auth/routes.py
index 2fe7413..5d1f334 100644
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -123,6 +123,9 @@ def register(url_prefix="/auth"):
 
     # --- OAuth2 token exchange (for external clients like artdag) -------------
 
+    from shared.browser.app.csrf import csrf_exempt
+
+    @csrf_exempt
     @auth_bp.post("/oauth/token")
     @auth_bp.post("/oauth/token/")
     async def oauth_token():