Back

authenticityTokenField()

Generates a hidden form field that contains a CSRF authenticity token. This token is required for verifying that POST, PUT, PATCH, or DELETE requests originated from your application, helping protect against Cross-Site Request Forgery (CSRF) attacks. When you use startFormTag(), Wheels automatically includes the token field for you. You’ll usually only need to call authenticityTokenField() manually when creating forms without startFormTag() or when building raw HTML forms.

Name	Type	Required	Default	Description

1. Adding a CSRF token to a manual form
<!--- Needed here because we're not using startFormTag --->
<form action="#urlFor(route='posts')#" method="post">
  #authenticityTokenField()#
  <input type="text" name="title">
  <input type="submit" value="Create Post">
</form>

2. No token needed for safe GET forms
<!--- Not needed here because GET requests are not protected --->
<form action="#urlFor(route='invoices')#" method="get">
  <input type="text" name="search">
  <input type="submit" value="Find Invoice">
</form>

3. Custom AJAX form with CSRF token
<form id="ajaxForm">
  #authenticityTokenField()#
  <input type="text" name="title">
  <button type="submit">Save</button>
</form>

document.getElementById("ajaxForm").addEventListener("submit", function(e) {
  e.preventDefault();

  const token = document.querySelector("input[name='authenticityToken']").value;

  fetch("/posts", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "X-CSRF-Token": token
    },
    body: JSON.stringify({ title: "CSRF-protected post" })
  });
});