We added signed header-based security to the Map service APIs.
Adding security after the fact is a bad idea. Just sayin'. We managed it, but it was messy, and required coordinated rollouts across our services to get the support for Signed JWTs and signed HMACs working the way we wanted.
The shared library we built for managing signature verification did make this easier for Java.