You're only using SSL which protects you vs relay attacks (it's doing its own MAC). Authentication is being done through the HTTP request Authorization header and the attached pre shared key.
Use SSL only, tune ciphers and you're good. You're wasting time trying to overthink the problem by adding another layer on top.
If you use a broken library then you're in trouble no matter what MAC wizardry you layer on top of it. You've got a core issue that is a better place to spend time solving that coming up with some sort of MAC layer to add on top.
How else can you guard against replay attacks, and authenticate the request? Only a key isn't enough, you need secrets as well. Right?