As mentioned in the [ documentation][1].
For Rails 5, note that `protect_from_forgery` is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true.
I have used something like this and it works for me.
class WelcomeController < ::Base protect_from_forgery with: :exception before_action :authenticate_model! end

[1]: https://github.com/plataformatec/#controller-filters-and-helpers

As it turns out, [Devise documentation][1] is quite revealing with regard to this error:
> For **Rails 5**, note that protect_from_forgery is no longer prepended to > the **before_action** chain, so if you have set authenticate_user before > **protect_from_forgery**, your request will result in "**Can't verify CSRF > token authenticity.**" **To resolve this, either change the order in which > you call them, or use protect_from_forgery prepend: true**.

The fix was to change code in my application controller from this:
protect_from_forgery with: :exception
To this:
protect_from_forgery prepend: true

This issue did not manifest itself until I attempted adding Audited or Paper Trail gems.

[1]: https://github.com/plataformatec/devise#controller-filters-and-helpers