There's no reason to send the grammarly auth token into the page's javascript context to begin with. The ajax connections can be done with the auth token in the extension's protected content script context.