...
Because the AJAX API relies on persisted queries and requires a valid CSRF token on all requests, it is not the ideal endpoint to use for development. If you are developing new API requests we recommend using the developer API to construct your requests, then creating persisted queries in code when you are ready to use them.
...
Requests to the AJAX endpoint must send the Totara session cookie and a CSRF token. It is not normally necessary to make requests in this way (use the developer API instead), but, if required, the structure of requests is as follows:
...