@stefanzilske this makes it clearer.
The /custompath/api/ is actually mapped in the CsrfPreventionFilter through the /api/* parameter here:
registerFilter("CsrfPreventionFilter", SpringBootCsrfPreventionFilter.class, properties.getWebapp().getCsrf().getInitParams(),"/api/*", "/app/*");
Any modifying requests sent at endpoint on this path will expect a CSRF token.
The /api/* and /app/* segments come from the Camunda Webapps and can’t be changed, so without overriding CamundaBpmWebappInitializer and disabling the CsrfPreventionFilter, you would have to change the context path of your Rest API (ex. /custompath/rest-api/).
Does modifying the context path of your Rest API solve the problem?
Best,
Nikola