base_controller.rb

class Api::V1::ApplicationController < ActionController::Base
  protect_from_forgery
  before_filter :set_csrf_header
  
  private
  def set_csrf_header
    response.headers['X-CSRF-Token'] = session[:_csrf_token] ||= SecureRandom.base64(32)
  end

end

CSRF-ajax-setup.js.coffee

$.ajaxSetup
  xhrFields:
    withCredentials: true

$(document).ajaxSend (event, jqxhr, settings)->
  jqxhr.setRequestHeader 'X-CSRF-Token', Embed.get 'csrf-token'

$(document).ajaxComplete (event, jqxhr, settings)->
  if jqxhr.getResponseHeader('X-CSRF-Token')?
    Embed.set 'csrf-token', jqxhr.getResponseHeader 'X-CSRF-Token'

listings_controller.rb

module Api
  module V1

    class ListingsController < ApplicationController
      # ...
    end

 end
end