If you receive an http 500-internal server error in Postman when you are testing your Sitecore Commerce Engine, you need to disable CSRF validation.

You do this in the config.json file located in the wwwroot folder of the commerce engine (in a standard installation this will be C:\inetpub\wwwroot\CommerceAuthoring_Sc9\wwwroot\config.json.

Change the setting "AntiForgeryEnabled": true to "AntiForgeryEnabled": false and your Postman requests should work again.

Note that you only get the http 500 error on POST, PUT and DELETE requests.