There's a couple of things you can do.
- Skip before filter for some actions only (using
:only
parameter). - Add an additional step: go to the temperatures form and post through the button on this form.
- Go to the temperatures form, extract CSRF tokens from it and POST using these tokens.
However, the right way to do it is to separate security measures for a JSON API and html forms. You could implement some kind of key-based authorization to access API, or use already implemented solution (for example Grape).