I cannot comment on the status of the package, but I feel confident about telling you that SSL recommendation still holds, because once the token is issued, everybody being able to sniff it over the connection could get access to the server.
