When you try to submit a form in Mastodon such as posting a status, changing account settings, or logging in, you may see a CSRF Token Mismatch error. This error means the security token that verifies your request is missing or does not match what the server expects. The cause is often a stale browser session, a misconfigured reverse proxy, or an expired authentication token. This article explains why the error occurs and provides clear steps to resolve it.
CSRF stands for Cross-Site Request Forgery. Mastodon protects your account by embedding a unique token in every form. If that token is invalid, the server rejects the submission. You will see the error on almost any form submission, from sending a toot to updating your profile.
Follow the steps below to fix the issue on your end. In most cases, you can resolve it without contacting your instance administrator.
Key Takeaways: Fixing the CSRF Token Mismatch Error in Mastodon
- Clear browser cookies and cache: Removes stale session data that causes token mismatches.
- Log out and log back in: Refreshes the CSRF token stored in your session.
- Disable problematic browser extensions: Extensions that block scripts or modify headers can strip the CSRF token from forms.
Why Mastodon Shows a CSRF Token Mismatch Error
Mastodon uses a CSRF token to verify that every form submission comes from you and not from a malicious third party. The token is generated when you load a page and is tied to your session. When you submit the form, Mastodon compares the token in the request with the one stored in your session. If they do not match, the server returns the CSRF Token Mismatch error.
Common causes include:
- Your browser session expired or the token rotated while you were filling out a form.
- Your browser cached an old page with a stale token.
- A reverse proxy or caching layer (like Nginx or Cloudflare) is caching pages and serving expired tokens.
- A browser extension is blocking or modifying the token field.
- Your Mastodon instance has a misconfigured secret key base.
The error can appear on any form: login, signup, posting, editing profile, or changing settings. It is not specific to one action.
Steps to Fix the CSRF Token Mismatch Error
Try the following methods in order. Start with the simplest fixes that do not require administrator access.
Method 1: Refresh the Page and Resubmit
Sometimes the token expired while you were typing. Refreshing the page loads a fresh token.
- Press F5 or Ctrl+R
This reloads the current page. Mastodon generates a new CSRF token when the page loads. - Fill out the form again and submit
Do not use the browser back button. Use the refreshed page.
Method 2: Log Out and Log Back In
Logging out clears your session and invalidates the old token. Logging in creates a fresh session with a new token.
- Go to Preferences > Account
Click the hamburger menu (three horizontal lines) in the top left, then select Preferences. On the Preferences page, click Account in the left sidebar. - Click Log out at the bottom of the Account page
You are redirected to the Mastodon login page. - Enter your email and password and click Log in
Mastodon creates a new session with a valid CSRF token. - Navigate to the form you were using and submit it again
The error should no longer appear.
Method 3: Clear Browser Cookies and Cache
Stale cookies or cached pages can store an old token. Clearing them forces the browser to fetch a fresh page and a new token.
- Open your browser settings
In Chrome, click the three-dot menu and select Settings. In Firefox, click the hamburger menu and select Settings. In Edge, click the three-dot menu and select Settings. - Go to Privacy and Security
In Chrome, click Privacy and security in the left sidebar. In Firefox, click Privacy and Security. In Edge, click Privacy, search, and services. - Clear browsing data
In Chrome, click Clear browsing data. Select Cookies and other site data and Cached images and files. Set the time range to All time. Click Clear data. In Firefox, click Clear data, check Cookies and Site Data and Cached Web Content, then click Clear. In Edge, click Choose what to clear, select Cookies and other site data and Cached images and files, then click Clear now. - Restart your browser and log in to Mastodon again
The CSRF token mismatch error should be resolved.
Method 4: Disable Browser Extensions Temporarily
Extensions that block scripts, modify headers, or manage cookies can strip the CSRF token from forms. Test with all extensions disabled.
- Open your browser’s extension manager
In Chrome, typechrome://extensionsin the address bar. In Firefox, typeabout:addons. In Edge, typeedge://extensions. - Disable all extensions
Toggle each extension off. Do not uninstall them. - Restart your browser and try submitting the form again
If the error disappears, re-enable extensions one by one to identify the culprit. Keep the problematic extension disabled or adjust its settings to allow Mastodon.
Method 5: Use a Private or Incognito Window
A private window starts with a clean session and no cached data. This isolates the problem from your normal browsing profile.
- Open a private window
In Chrome, press Ctrl+Shift+N. In Firefox, press Ctrl+Shift+P. In Edge, press Ctrl+Shift+N. - Go to your Mastodon instance and log in
Use your email and password. - Submit the form that previously showed the error
If it works in private mode, the issue is related to your normal browser profile’s cache, cookies, or extensions.
Method 6: Check Your Reverse Proxy Configuration (Instance Admin Only)
If you run your own Mastodon instance, a misconfigured reverse proxy (Nginx, Apache, or Cloudflare) can cache pages and serve stale CSRF tokens. Ensure that dynamic pages are not cached.
- Edit your Nginx configuration file
Locate the server block for your Mastodon domain. Add or modify the following lines to disable caching for dynamic content:proxy_no_cache 1;proxy_cache_bypass 1; - Reload Nginx
Runsudo systemctl reload nginxorsudo nginx -s reload. - Test the form submission again
Clear your browser cache before testing.
If Mastodon Still Shows the CSRF Token Mismatch Error
Error persists on all browsers and devices
If the error occurs on multiple browsers and devices, the problem is likely on the server side. Contact your instance administrator. The admin should check the Mastodon logs for CSRF-related errors and verify that the SECRET_KEY_BASE environment variable is set correctly. If the secret key base was changed recently, all existing sessions become invalid. The admin can regenerate the key and restart Mastodon services.
Error only appears on the login or signup form
A reverse proxy or CDN may be caching the login page. The admin should ensure that the login page is not cached. In Nginx, add add_header Cache-Control "no-store"; to the location block for the login page.
Error appears after using the browser back button
The back button loads a cached page with an old token. Do not use the back button to return to a form. Instead, refresh the page or navigate to the form again using the Mastodon interface.
Mastodon CSRF Token Mismatch vs Other Authentication Errors
| Item | CSRF Token Mismatch | Session Expired |
|---|---|---|
| Error message | CSRF Token Mismatch | Your session has expired. Please log in again |
| When it appears | On form submission | On page load or form submission |
| Root cause | Token missing or mismatched | Session cookie expired or deleted |
| Fix | Refresh page, clear cache, or log out and back in | Log in again |
| Server-side cause | Misconfigured reverse proxy or changed secret key base | Session timeout setting too low |
Now you know how to fix the CSRF Token Mismatch error in Mastodon. Start by refreshing the page or logging out and back in. If the error persists, clear your browser cache and disable extensions. For server-side issues, check the reverse proxy configuration and the secret key base. As an advanced tip, instance administrators can set the RAILS_MAX_REQUESTS environment variable to control how many requests a process handles before restarting, which can prevent token staleness in high-traffic instances.