Exclude certain routes from csrf protection

bootstrap/app.php

@@ -12,6 +12,13 @@ return Application::configure(basePath: dirname(__DIR__))
         health: '/up',
     )
     ->withMiddleware(function (Middleware $middleware) {
+        $middleware->validateCsrfTokens(except: [
+            'api/token',
+            'api/post',
+            'api/media',
+            'micropub/places',
+            'webmention',
+        ]);
         $middleware->append(CSPHeader::class);
     })
     ->withExceptions(function (Exceptions $exceptions) {