I had a Ruby on Rails app giving a bunch of invalid authenticity token errors. I spent a while hunting down the solution until I found this write up. Very useful.

This write up was by Peter De Berdt on one of the Ruby mailing lists, I am putting it here more for my own future (maybe) reference as it is a very good solution for the situation I was running into. The entire thread is at the ruby forum site

If you have a situation where you are getting invalid authenticity tokens and are doing strange things with forms on your website with file uploads etc, and can’t for some reason just use the authenticity form helper, then this solution worked for me and should work for you too.

The solution is pretty simple to be honest:

In your view layout file, add this to the


<script type="text/javascript" charset="utf-8">
    window._token = '<%= form_authenticity_token -%>';

In application.js, add the following:

Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(
   function(p, options){
     this.options.parameters = this.options.parameters || {};
     this.options.parameters.authenticity_token = window._token || '';

It will automatically add the authenticity token to ALL ajax requests, even those you invoke from custom code (graceful degrading and/or even delegated events for example).

A similar solution for those swapping out Prototype with JQuery has been posted here

As for file uploaders, a normal field within a form (multipart=true) will be sent as part of the form (and isn’t an ajax request in the first place) and shouldn’t be a problem. If you are using ANY other “ajax” uploader, there’s more to it. I already posted several times on how to get SWFUpload to play nicely with Rails, an overview with links to the appropriate posts can be found here.