CSRF
attacks[
^] are attacks in which malicious websites use your API / service with their own data. If the client session is valid, this 'malicious' request will go through.
Lets assume a good site A and a bad site B.
User opens site A on the browser and does some transaction.
While this window is still open, user A visits site B.
Site B has some 'nasty' JavaScript which posts a request to site A.
Since session for A is still valid in the browser, site B could gain access to site A's API and do whatever they want.
To avoid this kind of forgery attacks, a token can be used.
Some information on how to prevent these attacks -
http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages[
^]
Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)[
^]