Anti-CSRF tokens are unique, secret values generated by a web application to protect against Cross-Site Request Forgery (CSRF) attacks. These tokens are included in forms or requests sent to the server, ensuring that the request is legitimate and originated from the authenticated user. When the server receives a request, it checks the token to verify its authenticity. If the token is missing or incorrect, the server rejects the request, preventing unauthorized actions. This mechanism helps maintain the integrity of user sessions and protects sensitive operations, such as bank transactions or account changes, from being exploited by malicious actors.