“Invalid or missing CSRF token” error message

Available for:

If you see this error message when logging into your Todoist account, don’t panic– there are simple solutions depending on which browser you use.

The “Invalid or missing CSRF token” message means that your browser couldn’t create a secure cookie, or couldn’t access that cookie to authorize your login. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.

To address this issue, follow these steps.


  1. Open Chrome Preferences
  2. Scroll to the bottom and click on Show advanced settings…
  3. In the Privacy section, click the Content Settings button
  4. Click the Manage exceptions button under Cookies
  5. Under Hostname Pattern type [*.]todoist.com and click “Allow.” Type [*.]cloudfront.net and click “Allow.” Click done.
  6. Click the All cookies and site data button, search for todoist, and delete all Todoist-related entries.
  7. Reload Chrome and log into Todoist.


  1. Go to Firefox's Options -> Privacy menu.
  2. In the "History" section, select "Use custom settings for history" from the drop-down menu.
  3. Click on "Exceptions" and whitelist todoist.com and cloudfront.net
  4. Go to Firefox's Options -> Advanced -> Network menu.
  5. Delete Todoist's offline data from the list at the bottom of that page.
  6. Reload Firefox and log into Todoist.

Note - if this alone won't help, please enable third-party cookies in the menu mentioned in point 2.


  1. Open Safari Preferences from the drop-down menu in the navigation bar or by typing Cmd + , (⌘,).
  2. Click the Privacy tab and make sure that "Cookies and website data" is set to either "Always allow" or "Allow from websites I visit".
  3. Click on the Manage Website Data button to see all locally stored website data.
  4. Search for “Todoist” and remove all Todoist-related entries.
  5. Reload Safari and log into Todoist.