I think that's totally OK, assuming the hash really is generated securely.
Google does something like that for google docs, and I think google voice and probably other services.
Edit: the URL request is visible to anyone on the network between you and the design firm's website, but so is any unsecured HTTP traffic. If it's sensitive enough to need encryption, then the site should be HTTPS and
the URL will also be encrypted (an eavesdropper will only see the request for the domain name
www.firm.com, because you have to ask your DNS server for it).
Last edited by RoundTower; 07-12-2011 at 08:17 PM.