diff --git a/Gemfile b/Gemfile
index 507850a0fb87fe7f1e4a705c0928c73f860d024e..09f7e960a0c0d6724e8339ed0494288757d3edf7 100644
--- a/Gemfile
+++ b/Gemfile
@@ -92,9 +92,6 @@ gem 'font-awesome-rails'
 group :development do
   gem 'immigrant'
 
-  # mute assets in log
-  gem 'quiet_assets'
-
   # static analysis tool for security vulnerabilities
   gem 'brakeman', require: false
 
@@ -178,3 +175,6 @@ gem 'mimemagic'
 gem 'screencap'
 
 gem 'wicked'
+
+# using while rails 5 isn't released
+gem 'rails-api'
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index fede14c3623bedfa92658721fd5d92088a73da39..0e6ae1d405bd7ef161838fcae9d39dff7a4ce380 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,9 +1,9 @@
-class ApplicationController < ActionController::Base
+class ApplicationController < ActionController::API
   include Pundit
 
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :null_session
+  # protect_from_forgery with: :null_session
   before_action :count_learning_objects
   before_action :configure_permitted_parameters, if: :devise_controller?
 
diff --git a/config/application.rb b/config/application.rb
index 11e2d9f7b5cf6f2b42055a5db31491b71be05515..3d4b699087e164fed8f3fe42bffadbd04dd77498 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -1,6 +1,12 @@
 require File.expand_path('../boot', __FILE__)
 
-require 'rails/all'
+# require 'rails/all'
+require 'active_record/railtie'
+require 'action_controller/railtie'
+require 'action_mailer/railtie'
+# require 'action_view/railtie'
+# require 'sprockets/railtie'
+require 'rails/test_unit/railtie'
 
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
@@ -53,5 +59,8 @@ module Portalmec
 
     # active job
     config.active_job.queue_adapter = :sidekiq
+
+    # api mode
+    config.api_only = true
   end
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index e977629bb3e78e073f9190c136529ed5ea3481c7..85f1cc8ad3ae1b74e997d1275f4a029163090e29 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -228,6 +228,11 @@ Devise.setup do |config|
   #
   # The "*/*" below is required to match Internet Explorer requests.
   # config.navigational_formats = ['*/*', :html]
+  #
+  # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash
+  # middleware b/c rails-api does not include it.
+  # See: http://stackoverflow.com/q/19600905/806956
+  config.navigational_formats = [:json]
 
   # The default HTTP method used to sign out a resource. Default is :delete.
   config.sign_out_via = :delete
@@ -236,9 +241,9 @@ Devise.setup do |config|
   # Add a new OmniAuth provider. Check the wiki for more information on setting
   # up on your models and hooks.
   # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
-  config.omniauth :facebook, "745857965514514", "eb465ec961022087f56204e3b86a63ee"
-  config.omniauth :twitter, "pGD4B2uPuDv07yYqshlwDmdeM", "zt2PHrfIhHjk8lRCqlc47BanKrBghjxYyh8XOzaSnPF27rTnNS"
-  config.omniauth :google_oauth2, "314037571286-v3in875omm5vn56uhg77j06vtuic223f.apps.googleusercontent.com", "cJN0MTZisPqkkCLg3kSQDWIx", { }
+  # config.omniauth :facebook, "745857965514514", "eb465ec961022087f56204e3b86a63ee"
+  # config.omniauth :twitter, "pGD4B2uPuDv07yYqshlwDmdeM", "zt2PHrfIhHjk8lRCqlc47BanKrBghjxYyh8XOzaSnPF27rTnNS"
+  # config.omniauth :google_oauth2, "314037571286-v3in875omm5vn56uhg77j06vtuic223f.apps.googleusercontent.com", "cJN0MTZisPqkkCLg3kSQDWIx", { }
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or