Perhaps this is just misleading documentation, but is the API / authentication supported over https?
Authentication
API Key
Access to the Grist API is controlled by an Authorization header, which should contain the word ‘Bearer’, followed by a space, followed by your API key.
Security Scheme Type: HTTP <----- ?
HTTP Authorization Scheme:
bearerBearer format:
Authorization: Bearer XXXXXXXXXXX