I could be missing something, but the code at that link looks seriously insecure. Using sha(secret + parameters) as a MAC is the classic pattern vulnerable to length extension attacks; the self-delimiting nature of JSON might save you, except various parameters are concatenated together with no delimiter, so you might be able to move data from one to another and make it work anyway. In practice this is unlikely to be exploitable as the whole thing is over SSL, but any case, using a HMAC to avoid length extension is basic security engineering stuff.