Define a dummy endpoint to return a valid CSRF token

app/controllers/tokens_controller.rb

@@ -0,0 +1,8 @@
+class TokensController < ApplicationController
+  skip_before_action :authenticate_user!
+  skip_before_action :set_tenant
+
+  def show
+    head :ok
+  end
+end

config/routes.rb

@@ -2,6 +2,16 @@
 
 Rails.application.routes.draw do
   mount LetterOpenerWeb::Engine, at: "/letter_opener" if Rails.env.development?
+  get 'token' => 'tokens#show', as: :token
+  get 'up' => 'rails/health#show', as: :rails_health_check
+
+  resources :captcha, only: :create do
+    get 'v2/media', to: 'captcha#media', on: :collection, as: :media
+  end
+
+  mount Rswag::Ui::Engine => '/api-docs'
+  mount Rswag::Api::Engine => '/api-docs'
+
   scope ":slug", constraints: { slug: Wedding::SLUG_REGEX } do
     devise_for :users, skip: [:registration, :session, :confirmation]
     devise_scope :user do
@@ -24,13 +34,4 @@ Rails.application.routes.draw do
 
     root to: redirect("/%{slug}")
   end
-
-  resources :captcha, only: :create do
-    get 'v2/media', to: 'captcha#media', on: :collection, as: :media
-  end
-
-  mount Rswag::Ui::Engine => '/api-docs'
-  mount Rswag::Api::Engine => '/api-docs'
-
-  get 'up' => 'rails/health#show', as: :rails_health_check
 end

spec/requests/tokens_spec.rb

@@ -0,0 +1,13 @@
+require 'swagger_helper'
+
+RSpec.describe 'tokens', type: :request do
+  path '/token' do
+    get('get a cookie with CSRF token') do
+      tags 'CSRF token'
+      consumes 'application/json'
+      produces 'application/json'
+      
+      response_empty_200
+    end
+  end
+end