Don't know why CSRF token not appended in my request

I am trying to write a plugin for tasklist. now it looks like this:

export default {
    id: 'tasklist.cats',
    pluginPoint: 'tasklist.list',
    priority: 9001,
    render: (node, api) => {
        node.innerHTML = '<h1>My Process instance</h1>';

        node.onclick = function(){

            fetch(api.engineApi + "/history/process-instance", {
                method: 'post',
                body: '{"startedBy":"demo"}',
                headers: {
                    "Accept": "application/json",
                    "Content-Type": "application/json",
                    "X-XSRF-TOKEN": api.CSRFToken,
    properties: {
        label: 'My process instance'

But when I check in chrome dev tool the CSRF token is not present. I don’t know why.

Also, I would like to know how to get current user id form tasklist.list plugin point or from any plugin points.