diff --git a/src/bornhack/urls.py b/src/bornhack/urls.py
index a10b7ab7..a864eef7 100644
--- a/src/bornhack/urls.py
+++ b/src/bornhack/urls.py
@@ -1,6 +1,7 @@
 from django.urls import include, path
 from django.contrib import admin
 from django.conf import settings
+from django.views.decorators.csrf import csrf_exempt
 
 from allauth.account.views import (
     LoginView,
@@ -66,7 +67,9 @@ urlpatterns = [
     ),
     path('accounts/', include('allauth.urls')),
     path('admin/', admin.site.urls),
-    path('api/', GraphQLView.as_view(graphiql=True)),
+
+    # We don't need CSRF checks for the API
+    path('api/', csrf_exempt(GraphQLView.as_view(graphiql=True))),
 
     path(
         'camps/',