There was a security issue around this (CORS wasn’t set up correctly, so someone could fetch the config from a different origin, parse the API key out of it, then use it to POST). The whole API was therefore secured as a precautionary measure.
If you’re using the API, you should be using the API key. This will also cover the case where someone has enabled authentication on Syncthing’s web UI.
If you’re starting Syncthing yourself, you can specify the API key to use on the command line. Otherwise I would suggest getting the user to copy the API key from Syncthing’s web interface and pasting it into some configuration for your shell extension. Parsing the config file is possible, but remember that 1) the user may have decided to put Syncthing’s home folder somewhere custom, and 2) the format may change at any time.
You’ve got it the wrong way around: an API key is arguably more secure than a CSRF token. The thing is, you can’t expect the user to input a code every time their browser makes a request (which can be several times as second), so alternatives have to be found
An API key is also a lot easier for an application to use.
This won’t work if the user’s enable authentication…?
Reading the API key out of the config probably won’t be supported for much longer, although there may be an alternative means to ask Syncthing to give you an API key, without requiring any user interaction.