It's a good idea, but if you do that properly, you should have a system in place rotate the secret, and if shell scripts work with those graph files, they might also need access to both the hashing function and the secret.
I wonder if instead one could use mod_rewrite (assuming Apache), and check the URL against %{REMOTE_USER}.
I'm not certain why one would want to rotate the secret on a regular basis; it'd only need to be changed in case of exposure. A truly robust system would have a way to easily say 'rotate the secret' rather than have to manually change it.
Basically, it's a poor man's capability system: once one has a URL to one's graphs, one can easily share them around, but if one doesn't have the URL and doesn't have the secret, one cannot determine the URL, thanks to the power of a decent hash function in the HMAC.
I wonder if instead one could use mod_rewrite (assuming Apache), and check the URL against %{REMOTE_USER}.