About X-Csrf-Token

[daydreamer-json]

In order for users to write data to Pixiv (add to bookmarks, likes, and most POST requests), in addition to the conventional Cookie (PHPSESSID) auth, X-Csrf-Token must be added to the request header.
Here are some notes on how to obtain a CSRF token.
#1 will also be resolved.

---

The token is stored in __NEXT_DATA__, which is output by Next.js's SSG/SSR.
It can be extracted with the following code. (For Bun)

const url = 'https://www.pixiv.net/artworks/131341555';
const PHPSESSID = 'YOUR_PHPSESSID_STRING';

await (async () => {
  const response = await fetch(url, {
    headers: {
      'Cookie': PHPSESSID ? `PHPSESSID=${PHPSESSID}` : '',
    }
  });
  let nextData = '';
  const rewriter = new HTMLRewriter()
    .on('script#__NEXT_DATA__', {
      text(textChunk) {
        nextData += textChunk.text;
      }
    });
  const transformedStream = rewriter.transform(response);
  await Bun.readableStreamToArray(transformedStream.body);
  if (!nextData) throw new Error('__NEXT_DATA__ not found');
  const csrfToken = JSON.parse(JSON.parse(nextData).props.pageProps.serverSerializedPreloadedState).api.token;
  console.log(csrfToken);
})();

It's much easier with a browser. Open any artwork page and execute the following code in the console.

console.log(JSON.parse(JSON.parse(document.getElementById('__NEXT_DATA__').innerHTML).props.pageProps.serverSerializedPreloadedState).api.token)

If you do not specify PHPSESSID, you will be anonymous and the CSRF token will be variable.
If you are anonymous, you cannot obtain the token from the top page (because the login screen will be displayed).