From 63886178a649586b403966a27a45881709d2b868 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Wed, 22 Sep 2021 15:44:28 -0700
Subject: [PATCH] Describe a common mistake using csrftoken()

---
 docs/internals.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/internals.rst b/docs/internals.rst
index 910f2c71..411327eb 100644
--- a/docs/internals.rst
+++ b/docs/internals.rst
@@ -793,6 +793,10 @@ If your plugin implements a ``<form method="POST">`` anywhere you will need to i
 
     <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
 
+If you are rendering templates using the :ref:`datasette_render_template` method the ``csrftoken()`` helper will only work if you provide the ``request=`` argument to that method. If you forget to do this you will see the following error::
+
+    form-urlencoded POST field did not match cookie
+
 You can selectively disable CSRF protection using the :ref:`plugin_hook_skip_csrf` hook.
 
 .. _internals_internal: