diff --git a/src/shared/api/tokenStore.ts b/src/shared/api/tokenStore.ts
index 5ceec58..13e4c25 100644
--- a/src/shared/api/tokenStore.ts
+++ b/src/shared/api/tokenStore.ts
@@ -9,7 +9,13 @@ export const tokenStore = {
 const REFRESH_URL = 'https://app.auth.elcsa.ru/v1/jwt/refresh'
 
 export async function refreshAccessToken(): Promise<string> {
-  const res = await fetch(REFRESH_URL, { method: 'POST', credentials: 'include' })
+  const { getCsrfToken } = await import('./csrf')
+  const csrf = await getCsrfToken()
+  const res = await fetch(REFRESH_URL, {
+    method: 'POST',
+    credentials: 'include',
+    headers: { 'X-CSRF-Token': csrf },
+  })
   if (!res.ok) throw new Error('Unauthorized')
   const data = await res.json()
   tokenStore.set(data.access_token)