Beware of playback attacks, that is, an attacker sniffing the request can reused it as it is even if he does not know the shared secret.<p>To mitigate the playback attack it is possible to use a challenge-request protocol where the server sends to the client a large random number that the client needs to add to the HMAC input (and that invalidates after receiving the request so that no further requests can be made using the same random number).
I don't understand why this is a downside<p>"Cryptography is hard, a single character difference will result in a completely different value."<p>HMAC is designed to guarantee the integrity of the message. If a single character difference didn't result in a completely different value, the whole method would be completely flawed.
How does one implement a browser single-app JS client (Backbone, Angular etc) to access server API with HMAC authentication? The secret key will be exposed clearly in the JavaScript client.