How do the webhooks bypass AntiForgeryToken validation?

How do the webhooks- (in e.g., Zettle and PayPal plugins) bypass the AntiForgeryToken validation?  The controller action method does not have  the [IgnoreAntiforgeryToken] attribute.

    public class ZettleWebhookController : Controller
    {...

        [HttpPost]
        public async Task<IActionResult> Webhook()
        {...

The ZettleWebhookController doesn't have the  [AutoValidateAntiforgeryToken] applied in the controller and it inherits the Controller which also doesn't have the [AutoValidateAntiforgeryToken]  applied by default (Looks like only the BaseAdminController has the auto validation for anti-forgery applied). Maybe I am wrong but by the looks of it, it doesn't need the [IgnoreAntiforgeryToken] since the antinforgery validation is not enabled at all.

That's what I thought, but when I created a plugin, and I tried all of these:
Controller
BasePublicController  
BasePluginController

and I also tried putting these attributes on the action method:
        [HttpPost]
        [AllowAnonymous]
        [IgnoreAntiforgeryToken]

Regardless, I always get 400 Bad Response, and this is in the output window in VS

Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter: Information: Antiforgery token validation failed. The required antiforgery cookie ".Nop.Antiforgery" is not present.

Oops, my typo...

I registered my route as

public void RegisterRoutes(IEndpointRouteBuilder endpointRouteBuilder)
{
    endpointRouteBuilder.MapControllerRoute(name: "Plugin.Misc.MyTest.Upload",
        pattern: "mytest/api",
        defaults: new { controller = "MyTest", action = "Upload" });
}

But I had 'typo' in my test program, since the route pattern was
   pattern: "mytest/api"

I was using
string url = "https://localhost:44369/mytest/api/upload";

when it should have just been
string url = "https://localhost:44369/mytest/api";

I think it's just odd that the error was regarding the AntiForgeryToken validation!