Authentication overview

Quip, a collaborative productivity platform owned by Salesforce, integrates document creation, spreadsheets, and chat functionality within a unified workspace. Authentication for Quip primarily focuses on securing user access to the platform itself and programmatic access to its APIs for integrations and custom applications. Given its integration with Salesforce, Quip often relies on Salesforce's robust identity and access management infrastructure for user authentication and authorization.

The authentication mechanisms are designed to support both interactive user sessions and headless API interactions. Users typically authenticate through their Salesforce credentials, benefiting from existing security policies like multi-factor authentication (MFA). For developers building integrations or custom Live Apps, Quip provides API tokens and leverages OAuth 2.0 for secure, delegated access to user data without exposing credentials.

Understanding Quip's authentication landscape is essential for maintaining data security, controlling access to sensitive documents, and building reliable integrations that comply with organizational security policies. The methods available cater to various use cases, from end-user login to service-to-service communication.

Supported authentication methods

Quip supports several authentication methods tailored to different use cases, balancing ease of use with security requirements. These methods are often intertwined with Salesforce's identity management capabilities.

  • Salesforce Single Sign-On (SSO): For most users, access to Quip is managed through their existing Salesforce credentials. This method leverages Salesforce's identity provider, allowing users to log into Quip using the same username and password they use for Salesforce. This integration simplifies user management and extends Salesforce's security policies, including MFA (Multi-Factor Authentication) and IP restrictions, to Quip access. Salesforce provides detailed documentation on how to configure Single Sign-On in Salesforce.
  • OAuth 2.0: Quip utilizes OAuth 2.0 for delegated authorization, particularly for third-party applications and custom integrations that need to access user data or perform actions on behalf of a user without directly handling their credentials. This protocol allows users to grant specific permissions to an application, which then receives an access token to interact with Quip APIs. OAuth 2.0 is an industry-standard framework for authorization, detailed in the OAuth 2.0 specification.
  • API Tokens: For programmatic access where a user context might not be present or for server-to-server integrations, Quip provides API tokens. These tokens act as persistent credentials for accessing the Quip Rich Text API and other integration endpoints. API tokens are typically managed by administrators and should be treated as sensitive secrets. They grant direct access to specific Quip functionalities or data, depending on their scope and associated permissions.

The choice of authentication method depends on the nature of the integration or access requirement:

  • Use Salesforce SSO for end-user logins to the Quip application.
  • Employ OAuth 2.0 for applications that interact with Quip on behalf of individual users, requiring user consent for specific actions.
  • Utilize API Tokens for headless services, automated scripts, or server-side applications that need consistent, direct access to Quip APIs.

Authentication Methods Table

Method When to Use Security Level
Salesforce Single Sign-On (SSO) Interactive user logins to Quip application, leveraging existing Salesforce identity. High (inherits Salesforce MFA, IP restrictions, etc.)
OAuth 2.0 Third-party applications or custom integrations requiring delegated access to user data with explicit consent. High (token-based, scope-limited, user-revocable)
API Tokens Programmatic access for server-to-server communication, automated scripts, or headless services. Medium-High (requires secure storage and rotation, direct access)

Getting your credentials

The process for obtaining authentication credentials for Quip varies depending on the chosen method:

For Salesforce Single Sign-On (SSO)

Users access Quip directly via their Salesforce credentials. No separate credential setup is typically required for individual users beyond their existing Salesforce account. Administrators manage the integration between Salesforce and Quip, ensuring that users provisioned in Salesforce have access to Quip. Salesforce provides resources for Quip administration and setup within Salesforce.

For OAuth 2.0

To use OAuth 2.0, you must register your application with Salesforce as a connected app. This process typically involves:

  1. Creating a Connected App in Salesforce: Navigate to Salesforce Setup, then search for "App Manager" and create a new connected app.
  2. Configuring OAuth Settings: Define the OAuth scopes (permissions) your application requires (e.g., quip_full_access, quip_read_only). Specify the callback URL(s) where Quip will redirect the user after authorization.
  3. Obtaining Client ID and Client Secret: Upon saving the connected app, Salesforce will generate a Consumer Key (Client ID) and Consumer Secret (Client Secret). These are unique identifiers for your application and should be kept confidential.
  4. Initiating the OAuth Flow: Your application will then initiate the OAuth 2.0 authorization flow, typically by redirecting the user to a Salesforce authorization endpoint. After the user grants permission, Salesforce redirects the user back to your specified callback URL with an authorization code.
  5. Exchanging Code for Access Token: Your application exchanges the authorization code for an access token and optionally a refresh token using the Client ID and Client Secret. This access token is then used to make authenticated API requests to Quip. More details on Salesforce OAuth 2.0 Web Server Flow are available in the Salesforce Developer Documentation.

For API Tokens

API tokens for Quip are typically generated and managed within the Quip Admin Console or through Salesforce administrative interfaces, depending on your Quip edition and integration setup.

  1. Accessing the Quip Admin Console: An administrator with appropriate permissions logs into the Quip Admin Console.
  2. Generating Tokens: Within the administrative settings, there is usually a section for API access or integrations where new API tokens can be generated. These tokens are often associated with a specific user or a service account and granted specific permissions or scopes.
  3. Recording the Token: Once generated, the API token (a long string of characters) is displayed. It is crucial to copy and store this token securely immediately, as it may not be retrievable again after leaving the page for security reasons.
  4. Assigning Permissions: Ensure the generated token has the minimum necessary permissions to perform its intended tasks. Overly broad permissions increase security risk.

Consult the official Quip Support documentation for the most current and detailed instructions on generating API tokens, as the interface and steps may evolve.

Authenticated request example

When interacting with the Quip Rich Text API or other Quip integration endpoints using an API token, you typically include the token in the Authorization header of your HTTP requests. The format is commonly Bearer <YOUR_API_TOKEN>.

Here's an example using curl to fetch information using the Quip Rich Text API, assuming you have a valid API token:


curl -X GET \
  'https://platform.quip.com/1/threads/current' \
  -H 'Authorization: Bearer YOUR_API_TOKEN'

Replace YOUR_API_TOKEN with your actual Quip API token. The specific endpoint (e.g., /1/threads/current) and required parameters will vary based on the Quip API functionality you intend to use. For OAuth 2.0, the process is similar, but you would use the access token obtained through the OAuth flow in the Authorization: Bearer header.

Security best practices

Implementing strong authentication practices is crucial for protecting Quip data and maintaining system integrity. Adhere to these best practices:

  • Principle of Least Privilege: Grant only the minimum necessary permissions or scopes to API tokens and OAuth applications. Regularly review and adjust permissions as needs change.
  • Secure Storage of Credentials: API tokens, Client Secrets, and refresh tokens must be stored securely. Avoid hardcoding them directly into source code. Use environment variables, secure configuration management systems, or dedicated secret management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault).
  • Rotate API Tokens and Client Secrets: Periodically rotate API tokens and OAuth Client Secrets to minimize the impact of a potential compromise. The frequency of rotation should align with your organization's security policies.
  • Implement Multi-Factor Authentication (MFA): For user logins via Salesforce SSO, ensure MFA is enforced. Salesforce provides robust MFA options that extend to Quip access, significantly reducing the risk of unauthorized access due to compromised passwords. Learn more about Salesforce Multi-Factor Authentication.
  • Monitor API Usage and Access Logs: Regularly review Quip and Salesforce audit logs for unusual activity, failed login attempts, or unauthorized API calls. Implement alerting for suspicious patterns.
  • Validate Callback URLs for OAuth: For OAuth 2.0 applications, ensure that callback URLs are strictly validated to prevent redirection attacks. Only allow trusted and specific URLs.
  • Use HTTPS/TLS: All communication with Quip APIs and web interfaces must occur over HTTPS/TLS to encrypt data in transit and prevent eavesdropping.
  • Educate Users: Train users on strong password practices, the importance of MFA, and how to identify phishing attempts that target credentials.
  • Regular Security Audits: Conduct regular security audits and penetration testing of applications and integrations that interact with Quip to identify and address vulnerabilities.