I am using Django REST framework.

I want a single API for all of my clients (web, mobile, curl).

I understand that I need to include a CSRF token in requests originating from the web client, to protect against CSRF. However, this is not needed for mobile and curl clients.

How can I securely differentiate between client types so I can require a CSRF token for web clients but not for all other clients?

I have thought about the following:

• Checking Origin and Referer headers. Django's CSRF middleware already does this. However, is it safe to assume not having these headers means the request has not come from the web client?
• Having an unauthenticated CSRF endpoint that returns a valid token. However, this is inconvenient to use for clients such as curl. Also, I think it makes the whole CSRF protection useless since an attacker can simply request a token before making a malicious request.