UUID v4 is, in fact, random and "alphanumeric" in the sense that it's hex.
That being said, I have a few other issues with their wording as well. They should just say "we have a custom HMAC-based authentication scheme for our REST API". Also, it took me about 3 days to realize HMAC over SSL/TLS is about as secure and easy as you can get for most any language -- If you can send HTTP requests, you can probably do HMAC. You can add further safety by making expiring private keys for HMAC and other things, although my use cases are based on long running (weeklong+) batch computations, and not end users. (i.e. initial distribution of an expiring private key for HMAC over SSL, reauthentication schemes, etc...
That being said, I have a few other issues with their wording as well. They should just say "we have a custom HMAC-based authentication scheme for our REST API". Also, it took me about 3 days to realize HMAC over SSL/TLS is about as secure and easy as you can get for most any language -- If you can send HTTP requests, you can probably do HMAC. You can add further safety by making expiring private keys for HMAC and other things, although my use cases are based on long running (weeklong+) batch computations, and not end users. (i.e. initial distribution of an expiring private key for HMAC over SSL, reauthentication schemes, etc...