CSRF Token for Api Auth with Cross Domain

Hello,

we have a problem with authentification. The validatePassword method is kinda slow, and we want to change our basicAuth to session based csrf. I’ve read, that this is only possible, if the api (kirby) calls came from the same site/domain.

Therefore, session-based authentication works best when you make API calls from the frontend of the same site/domain.

Now, we’re sending the unsecure base64 auth for every api call in the frontend, which is not the way to go.

Is there a solution to do this from another domain?
We’ve created an API call to genereate a csrf token to work with, but sending this csrf token via the X-CSRF Header causes an 403 (Unauthenticated) error.

'api' => [
    'allowInsecure' => true,
   // 'basicAuth' => true, //what should I do with this, if csrf is set?
        [
            'pattern' => '/randomApiBlabla',
            'method' => 'GET',
            'auth' => true,
            'action' => function() {
                return json_encode(csrf());
            }
        ],
    ]
],