HMAC with a time-window

I'm doing some tests with HMAC by using a time-window mechanism based on UTC+0 synced time. The server has a special public API call http://myserver.com/api/servertime/ that will return the server's exact UTC+0 time. This way the API users can sync their requesting client so it will be able to match the time window my API allows for secure calls. I built in a 30 minute timeslot (-15min - +15min).

My code looks like this:

func GenerateHmac512(message []byte, key []byte) []byte {
	h := hmac.New(sha512.New, key)
	h.Write(message)
	return []byte(base64.StdEncoding.EncodeToString(h.Sum(nil)))
}

func ValidateHmac512(message, messageMAC, key []byte) bool {
	var err error
	decryptedMessageMAC, err := base64.StdEncoding.DecodeString(string(messageMAC))

	if err != nil {
		log.Fatalln(err.Error())
		return false
	}

	mac := hmac.New(sha512.New, key)
	mac.Write(message)
	expectedMAC := mac.Sum(nil)
	return hmac.Equal(decryptedMessageMAC, expectedMAC)
}

func main() {
	timestamp := time.Now().Unix()
	key := []byte("afad9411468602782fb62d904f623d87")
	message := []byte(fmt.Sprintf("SecretHash,Value1,Value2,Value3,TimeStamp:%d", time.Now().Unix()))
	hmacHash := GenerateHmac512(message, key)
	hmacValid := ValidateHmac512(message, hmacHash, key)
	log.Println(timestamp)
	log.Println(string(hmacHash))
	log.Println(hmacValid)

	requestValid := false

	if timestamp > time.Now().Unix()-(60*15) && timestamp < time.Now().Unix()+(60+15) {
		requestValid = true
	}

	log.Println(requestValid)
}

I'm hashing the timestamp that will be publicly provided in the call in my HMAC hash, combined with the secret hash. I'm wondering if this is fool-proof enough, or it would need more work to make it totally solid? The call would be something like this:

POST http://myserver.com/api/users/
Value1 : Data1
Value2 : Data2
Value3 : Data3
Timestamp : 1420497639

Eventually when this is all OK I'm gonna send this data over SSL/TLS. I know SSL is more than enough and HMAC wouldn't be needed, but I like to have these 3 layers of security. And I want to benchmark variations of these layers to see what the performance impact is and how I can tweak it to have a good balance between performance and security.

There's not much to answer here, an HMAC authenticates a message and verifies integrity, and that seems to be what you want. Also, TLS is only "more than enough" if you're authenticating the client. If this is an unauthenticated call, then HMAC is still reasonable to prove the knowledge of a shared secret.

Note that SecretHash is superfluous. You already have a secret shared key.