The private key of the API user is hashed with the full URL of the service. The user id is sent in the header of the request. The server looks up the user id and gets their private key, it then uses that key to hash the URL, comparing it to the one passed.
There is no way for a scraper or bot to get the HMAC token.
For an authenticated user, yes, as you have somewhere to hang a known-by-the-server-but-unknown-elsewhere key from.
For a public interface you don't necessarily have that.
Though once you are dealing with a service that can be modified by unauthenticated users you have larger problems from malicious interactive users than from accidents by scrapers, so I'm probably arguing an irrelevant point...
The private key of the API user is hashed with the full URL of the service. The user id is sent in the header of the request. The server looks up the user id and gets their private key, it then uses that key to hash the URL, comparing it to the one passed.
There is no way for a scraper or bot to get the HMAC token.