Form Bots and the Authenticity Token

How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots.



this is absolutely bulletproof


The authenticity token just ensures that the “agent” (person or bot) who submits the form first has to request the form. (right?)

If it’s a public form, a bot is just as capable of requesting the form, saving the authenticity token, and submitting it back with the authenticity token.

The only real way to guard against bots is Captcha

Yes, but it that case I would expect to see a GET request where they get the token before they actually POST the form? If I look in the logs all I see are these bots posting over and over again with different tokens, but apparently all legit.