Here is my solution:
In the Application.php file, the CSRF section of the MiddleWare function must have the httpOnly parameter set to false in order to make it readable by the JS script.
public function middleware($middlewareQueue)
{
$middlewareQueue
// Add csrf middleware.
->add(new CsrfProtectionMiddleware([
'httpOnly' => false, //Pour permettre le fonctionnement des API
]));
return $middlewareQueue;
}
I am not sure though that this is clean or even a bug, because httpOnly means to me that a http request through AJAX should work fine too, but I may be misleaded on this one.