Securing Your Integration
Grammarly provides credentials-based authentication for securing your integration and a supplemental option for an extra layer of security: trusted authentication. Before making your web and desktop apps available in a production environment, please read over our credentials-based model for securing your integration and whether our supplemental layer of security (i.e., trusted authentication) is suited for your application and use case.
Credentials-based authentication is the default model for Grammarly for Developers applications. In this model, Grammarly checks your client's credentials to authenticate your connection to Grammarly. For web apps, Grammarly will only accept requests that 1) contain the valid client ID for your application and 2) originate from an approved origin. For desktop apps, Grammarly uses the client ID and, when the connected accounts feature is turned on, any redirect URIs that you supply.
Advantages of credentials-based authentication
- Credentials-based authentication is easy to set up.
- Credentials-based authentication requires no server-side code.
Disadvantages of credentials-based authentication
- Your server does not control who can access the Grammarly features of your application.
- Clients are primarily validated according to a pre-configured allowlist.
Trusted authentication is a feature of the SDK that adds an additional layer of security to your integration. Grammarly generates a public/private key pair that's unique to your application. Your server must then use the private key to issue an assertion, which Grammarly will decode with the corresponding public key each time your application validates a user session with Grammarly.
When trusted authentication is turned on, Grammarly will only allow a user access to Grammarly's assistance in your app if their assertion is signed with your private key.
Advantages of trusted authentication
- Your server controls who can access the Grammarly features of your application.
- Clients are validated using a public/private key pair.
Disadvantages of trusted authentication
- Trusted authentication takes time to set up.
- Trusted authentication requires server-side code.
Recommendations for production applications
Credentials-based authentication is a good model for authentication in the following scenarios:
- When you’re OK with completely anonymous users using Grammarly in your application
- When you're just getting started and want to try Grammarly for Developers with minimal effort
- When your application is in an experimental or testing environment and you’re not opening it up to production traffic
- When your application is a short-lived proof-of-concept or a demo application
We recommend that you take the extra steps to turn on and use trusted authentication as a means of authentication in the following scenarios:
- When your app is on the Grammarly for Developers Plus plan and you want to control exactly who can access paid features
- When you want to ensure that only authorized users have access to the Grammarly features of your application