Authentication Tokens without globally disabling CSRF

[jminardi]

I have an app with some web views and forms, so I have CSRF enabled. I would also like to have a few API endpoints working with the same app.

It is possible to allow API login (possibly on a different endpoint like /api/login) while still allowing CSRF on all web app endpoints?