diff --git a/api/libs/token.py b/api/libs/token.py
index 098ff958da..a34db70764 100644
--- a/api/libs/token.py
+++ b/api/libs/token.py
@@ -189,6 +189,11 @@ def build_force_logout_cookie_headers() -> list[str]:
 def check_csrf_token(request: Request, user_id: str):
     # some apis are sent by beacon, so we need to bypass csrf token check
     # since these APIs are post, they are already protected by SameSite: Lax, so csrf is not required.
+    if dify_config.ADMIN_API_KEY_ENABLE:
+        auth_token = extract_access_token(request)
+        if auth_token and auth_token == dify_config.ADMIN_API_KEY:
+            return
+
     def _unauthorized():
         raise Unauthorized("CSRF token is missing or invalid.")