drupal/core/modules/rest/rest.routing.yml

rest.csrftoken:
  path: '/rest/session/token'
  defaults:
    _controller: '\Drupal\rest\RequestHandler::csrfToken'
  requirements:
    _access: 'TRUE'