CSRF should be used when using SessionAuthentication in order to make sure that only the AJAX requests from the same context as the API are allowed. If you want your API to be publicly available you should probably look at TokenAuthentication or implement your own authentication backend.