Update protect_from_forgery to allow API request

app/controllers/application_controller.rb

@@ -10,7 +10,7 @@ class ApplicationController < ActionController::Base
 
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, unless: -> { request.format.json? }
 
   rescue_from ActiveRecord::RecordNotFound, with: :show_not_found_error