name: xsrf_token
in: cookie
required: true
schema:
  type: string
  pattern: "^[a-zA-Z0-9_-]{32,64}$"
example: "abc123def456ghi789jkl012mno345pqr"
description: |
  Anti-CSRF token (Double Submit Cookie pattern).
  Stored in non-HttpOnly cookie, readable by JavaScript.
  Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).