About the timing attack on HMAC that the article mentions. It takes thousands if not hundreds of thousands of requests to gather the data (and let's assume you can indeed extract the data out of all the noise cause by network latency etc...), and any properly designed API should have a throttle measure built in to prevent brute force attacks like this.
A good, secure API is protected by a variety of measures, not just through the request authentication component. Of course you should still make your auth as secure as possible.
It's my understanding that bittorrent sync uses the latency of the network for such a throttle. Wild hair: a cyclotron-style router roundabout could hold millions of packets "in suspension" for n seconds.
A good, secure API is protected by a variety of measures, not just through the request authentication component. Of course you should still make your auth as secure as possible.