I suppose you have a better way to do cross-platform cross-domain APIs? Enlighten us. Facebook and Google use this method, and I assume it is because there isn't a better way.
You can use CORS [1] on browsers that support it. [2] You really should use it if at all possible given your application's constraints, so you don't have to abuse GET requests and can use a JSON parser.
Unfortunately CORS is not really doable if you have to support IE and need non-cookie authentication, as my company recently discovered to our sorrow. No custom headers, so goodbye to your X-Auth-Token. That has only been fixed in IE10.