A CSRF (Cross-Site Request Forgery) token is a unique, secret value generated by a web application and included in forms or requests. Its primary purpose is to protect users from CSRF attacks, where malicious sites attempt to perform unauthorized actions on behalf of authenticated users. When a user submits a form, the server checks the token to ensure the request is legitimate and originates from the correct user session. If the token is missing or invalid, the request is rejected. This mechanism helps prevent attackers from exploiting authenticated sessions and executing unwanted actions, thereby enhancing the security of web applications.