I trying post a json file with Rails API.I have try to fix but can't runThis my problem:

Sever log:

Started POST "/students/" for 127.0.0.1 at 2016-09-17 17:45:33 +0700  ActiveRecord::SchemaMigration Load (0.0ms)  SELECT "schema_migrations".* FROM "schema_migrations"Processing by Devise::RegistrationsController#create as */*  Parameters: {"student"=>{"name"=>"Duong", "score"=>"10"}, "registration"=>{"student"=>{"name"=>"Duong", "score"=>"10"}}}Can't verify CSRF token authenticity.Unpermitted parameters: name, score   (0.0ms)  begin transaction   (0.0ms)  rollback transaction  Rendering C:/RailsInstaller/Ruby2.2.0/lib/ruby/gems/2.2.0/gems/devise-4.2.0/app/views/devise/registrations/new.html.erb within layouts/application  Rendered C:/RailsInstaller/Ruby2.2.0/lib/ruby/gems/2.2.0/gems/devise-4.2.0/app/views/devise/shared/_links.html.erb (10.0ms)  Rendered C:/RailsInstaller/Ruby2.2.0/lib/ruby/gems/2.2.0/gems/devise-4.2.0/app/views/devise/registrations/new.html.erb within layouts/application (60.0ms)Completed 500 Internal Server Error in 442ms (ActiveRecord: 0.0ms)

Student.rb

This is my student model

class Student < ApplicationRecord  # Include default devise modules. Others available are:  # :confirmable, :lockable, :timeoutable and :omniauthable  devise :database_authenticatable, :registerable,         :recoverable, :rememberable, :trackable, :validatableend

Application_controller

I have fix excetion => null_session

class ApplicationController < ActionController::Base  protect_from_forgery with: :null_sessionend

Student_controller

class Api::StudentsController < ApplicationController  def index    students = Student.all    render json: students, status: 200  end  def show    response_with Student.find(params[:id])  end  def create    student = Student.new(student_params)    #if you save successfully than response with json data and status code 201    if student.save      render json: user, status: 201, location: student    else      render json: {error: user.errors}, status: 422    end  end  private  def student_params    params.require(:student).permit(:name, :score)  endend

router.rb

Rails.application.routes.draw do  devise_for :students  namespace :api, path: '/',constraints: {subdomain: 'api'} do    resources :students, only: [:index, :show, :create]  endend

But, when I send a post to api.1312100.com/students/

{"student": {"name": "Duong", "score": "10"}}

have a error:

500 internal server error