It is the Rails protection mechanism.
Therefore, to solve it, we have to turn it off.
In the controller, just add this line:
protect_from_forgery :only => [:create, :update, :destroy]
It specifies that the protection mechanism only applies to those three actions (create, update, and destroy).
For other actions, they can receives a third-party HTTP Post without throwing InvalidAuthencityToken.
