The UI is 100% static client-side code that just talks to the API. Anything it can do you can do, though some things are admittedly non-obvious or lacking documentation.
So that is the API call, but you’ll want enabled:true. The UI sends false, tries to authenticate, and then sets it to true if everything worked so that it is difficult to lock yourself out with invalid config.
The error message has nothing to do with setting up auth specifically… it means you’re sending a request that looks like it’s from a browser, where we need to protect against cross-site request forgery attacks.
To do that the API requires any non-GET request have the value of the CSRF cookie (which the server provides) sent back as the value of a X-API-CSRF header (which you can’t do if you’re code running from a different domain).
Since you’re (probably?) not a browser you can just remove where you’re sending a User-Agent header, or make it not contain “Mozilla”. If you are a browser, on a page in a different domain than Rancher, then you won’t be able to do this… because you’re trying to execute a CSRF attack against yourself 
.