Send a HEAD or GET request to any OData service document (e.g. /$metadata) with header 'X-CSRF-Token: Fetch'
Extract the token from the response header 'X-CSRF-Token' and capture all Set-Cookie values
Include the token in the request header 'X-CSRF-Token: <token>' and forward the session cookies on every non-GET call (POST, PUT, PATCH, DELETE)
On a 403 response with header 'X-CSRF-Token: Required', treat the token as expired, re-fetch, and retry the original request
Use the same HTTP session (connection pool keyed to the session cookie) throughout to avoid token/session mismatch
Known gotchas
The header name in requests and responses is 'X-CSRF-Token' (not 'X-CSRF-TOKEN'); case sensitivity varies by client library, so normalise before matching
Tokens are scoped to an HTTP session; if your client drops cookies between calls, the server returns 403 even with a valid-looking token
Fetching against $metadata counts as a full metadata load — prefer fetching against the service root document to reduce payload size
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp