[edoceo]

When you send a PATCH request, and include a token of the object you're patching, so the system knows your using an up-to-date object? In that REST like example that hash/token on the object is the same function as CSRF-token. I see this model on APIs daily.

[AmericanChopper]

That sounds more like an integrity check than a CSRF control. Unless you have poor CORs settings, wouldn’t SOP prevent CSRF on PATCH endpoints anyway?

[edoceo]

It's that too. My point (still) being that passing state keys is old, common and still in use.