To me there is nothing really wrong with this API except that they made the mistake of calling it a RESTfull API and, as such, have incurred the wrath of REST purists.
If they were to change the auth method to use a secret key for signing requests and just call it an RPC API then I don't think there would be a problem.
If they were to change the auth method to use a secret key for signing requests and just call it an RPC API then I don't think there would be a problem.