Automating bulk invite

Hi all,
I was looking for an API feature that, for a given email address, added a user to a group or two, inviting them to the forum if they didn’t already have an account. I couldn’t find that feature, but noticed that this is exactly what the ‘bulk upload’ invite feature does. This isn’t documented in the API, but is what the browser does.

So I did the same, using the following php code to POST a csv file:

        $body = "--ossifrage\r
Content-Disposition: form-data; name=\"type\"\r
Content-Disposition: form-data; name=\"files[]\"; filename=\"test.csv\"\r
Content-Type: text/csv\r
$r=wp_remote_post( '', array(
                    'method' => 'POST',
                    'headers' => array('Content-Type' => 'multipart/form-data; boundary=ossifrage', 
                                       'Api-key' => '(redacted)',
                                       'Api-Username' => 'yaxu'),
                    'body' => $body

This worked great for a couple of months, but has recently stopped working, with the following error in the discourse logs: Can't verify CSRF token authenticity.

Is this an bug, as I should be authenticated via the API key? Or am I on to a loser trying to use undocumented parts of the API?