From 3e0669a335ba297fb7aadc23f16ec398db35681e Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Tue, 24 Feb 2026 01:06:19 +0000
Subject: [PATCH] =?UTF-8?q?Exempt=20oauth/token=20from=20CSRF=20=E2=80=94?=
 =?UTF-8?q?=20server-to-server=20API=20endpoint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

External clients like artdag POST to this endpoint from their
backend, so there's no browser session with a CSRF token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 bp/auth/routes.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bp/auth/routes.py b/bp/auth/routes.py
index 2fe7413..5d1f334 100644
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -123,6 +123,9 @@ def register(url_prefix="/auth"):
 
     # --- OAuth2 token exchange (for external clients like artdag) -------------
 
+    from shared.browser.app.csrf import csrf_exempt
+
+    @csrf_exempt
     @auth_bp.post("/oauth/token")
     @auth_bp.post("/oauth/token/")
     async def oauth_token():