How do the webhooks bypass AntiForgeryToken validation?

2 weeks ago
How do the webhooks- (in e.g., Zettle and PayPal plugins) bypass the AntiForgeryToken validation?  The controller action method does not have  the [IgnoreAntiforgeryToken] attribute.

    public class ZettleWebhookController : Controller

        public async Task<IActionResult> Webhook()
2 weeks ago
The ZettleWebhookController doesn't have the  [AutoValidateAntiforgeryToken] applied in the controller and it inherits the Controller which also doesn't have the [AutoValidateAntiforgeryToken]  applied by default (Looks like only the BaseAdminController has the auto validation for anti-forgery applied). Maybe I am wrong but by the looks of it, it doesn't need the [IgnoreAntiforgeryToken] since the antinforgery validation is not enabled at all.
2 weeks ago
That's what I thought, but when I created a plugin, and I tried all of these:

and I also tried putting these attributes on the action method:

Regardless, I always get 400 Bad Response, and this is in the output window in VS
Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter: Information: Antiforgery token validation failed. The required antiforgery cookie ".Nop.Antiforgery" is not present.
2 weeks ago
Oops, my typo...

I registered my route as
public void RegisterRoutes(IEndpointRouteBuilder endpointRouteBuilder)
    endpointRouteBuilder.MapControllerRoute(name: "Plugin.Misc.MyTest.Upload",
        pattern: "mytest/api",
        defaults: new { controller = "MyTest", action = "Upload" });

But I had 'typo' in my test program, since the route pattern was
   pattern: "mytest/api"

I was using
string url = "https://localhost:44369/mytest/api/upload";

when it should have just been
string url = "https://localhost:44369/mytest/api";

I think it's just odd that the error was regarding the AntiForgeryToken validation!