I think the csrf was enabled by default on on post routes.

I don't know of any way to bypass the auto csrf check, you could try something like this to exclude the posts.

Quick and freehand dirty ... (aka untested)

Route::filter('csrf', function()
{

	// bypass route names (could move to a config file)
	$tmpStr = array('credits.ipn', 'credits.success');

	//bypass on these routes
	$routename = Route::currentRouteName();
	
	if (!in_array($routename, $tmpStr)) {

		if (Session::token() !== Input::get('_token'))
		{
			throw new Illuminate\Session\TokenMismatchException;
		}

	}

});

Another option would be to just clear out the default csrf filter and make your own, the auto check wouldn't have anything to fail on, ...

Changing the default filter,

Route::filter('csrf', function()
{
	if (Session::token() !== Input::get('_token'))
	{
		throw new Illuminate\Session\TokenMismatchException;
	}
});

to

Route::filter('csrf', function()
{
	// no auto check on posts
});

Route::filter('mycsrf', function()
{
	if (Session::token() !== Input::get('_token'))
	{
		throw new Illuminate\Session\TokenMismatchException;
	}
});

Then you can add in the mycsrf to any routes you want it to be on.

Just a couple thoughts, hope they help.

Just by taking my IPN routes out of the "before auth" group, it seems to be working fine now?

That's cool about the csrf though, think I'll implement that anyway, thanks! :)

PayumLaravelPackage supports Paypal IPN out of the box, with even some additional security checks. Just setup the package, configure it and use, it'll do the rest.