I have a REST API based on ASP.NET Core 3.1. This API will is called by other servers, currently there is no client application which calls this API.
In such a scenario do I need Anti-Forgery tokens? Also if its needed how inject anti-forgery tokens in a Server-to-Server communications scenario?
Here is an offical document about csrf.
A CSRF token is generated based on Http Session. If your API endpoint is relying on a cookie /or some mechanism to reestablish the session.You need to prevent CSRF attack.In the official link,you can see the example of CSRF attack,it includes an authentication cookie.