ActionController InvalidAuthenticityToken in Api::V1::UsersController#create

Question

I'm going to create restful API using Ruby on Rails. I want to create, delete, show and update data. All of them should have to be JSON to get it in Android devices. I'm also using Postman to check my APIs. This is what I've done:

My Controller:

class Api::V1::UsersController < ApplicationController
    respond_to :json

    def show
        respond_with User.find(params[:id])
    end

    def create
        user=User.new(user_params)
        if user.save
            render json: user, status: 201
        else
            render json: {errors: user.errors}, status: 422
        end
    end

    def update
        user=User.find(params[:id])
        if user.update(user_params)
            render json: user, status:200
        else
        render json: {erros: user.errors},status: 422
        end

    end

    def destroy
        user=User.find(params[:id])
        user.destroy
        head 204
    end

    private
    def user_params
        params.require(:user).permit(:email,:password,:password_confirmation)
    end
end

and this is my route file:

Rails.application.routes.draw do
  devise_for :users
  namespace :api, defaults:{ format: :json } do
    namespace :v1 do
    resources :users, :only=>[:show,:create,:update,:destroy]   
    end
  end
end

and also added following code to my Gemfile:

gem "devise"
gem 'active_model_serializers'

I don't know why when I want to create via postman I get the following error:

ActionController InvalidAuthenticityToken in Api::V1::UsersController#create

Answer 1

You need to make the following change in application_controller.rb

Change

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
end

to

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :null_session
end

EDIT

Better way is to skip the authentication for a specific controller

class Api::V1::UsersController < ApplicationController
  skip_before_action :verify_authenticity_token

  respond_to :json
  # ...
end

Answer 2

In application_controller.rb

For Web Controllers:

protect_from_forgery with: :exception

For API Controllers:

protect_from_forgery with: :null_session

You can also choose when to run this validation with the prepend parameter (default value of this option is false)

protect_from_forgery with: :null_session, prepend: true

Like the documentation says

This is useful you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth)