Good point about making sure it gets decoded properly. I do have control over the JS in this instance and started to do that (changing the hash to calculate pre-encoding), but I stopped for three reasons. 1) I encode the string in a JS function piece by piece, then calculate the hash once it's all pieced together. So I'd need to piece together a non-encoded string as well, then hash that. It's a lot of work, and is in a handful of files (pure laziness). JS code snippet below. 2) I'm not sure I'll always have control over the input like that. 3) I was hoping to handle it with Perl for ease.

    var jData = {request:{'service':'ins_task_queue'},data:[]};
    $('[name=remote_download_id]:checked').each(function(){
        remote_download_id         = $(this).val();
        var here = $(this).siblings();
        var tmpObj = {};
        tmpObj['remote_download_id'] = remote_download_id;
        $.each($(this).siblings(),function(k,v){
-->            tmpObj[here[k].name] = encodeURIComponent(here[k].value
+);
        });
        here = $(this).parent().siblings().children(':input');
        $.each($(this).parent().siblings().children(':input'),function
+(k,v){
-->            tmpObj[here[k].name] = encodeURIComponent(here[k].value
+);
        });
        jData['data'].push(tmpObj);
    });

...
[download]

PHP parts:

    public function getRequest($request,$data,$response_type){
        $reqData['request']['service']     = $request;
        $reqData['data']         = $data;
        $fields = array(
            'data' => json_encode($reqData)
            , 'xyz' => $xyz
            , 'abc' => $abc
        );
        $fields['api_key'] = getApiKey($fields);
        global $debug;
        $debug = $fields;
        return getSvc($fields);
    }

function getApiKey($fields){
    return hash_hmac('sha512',$fields['data'].$fields['abc'].$fields['
+xyz'],$GLOBALS['ses_secret_key']);
}
[download]