It's funny that they say it's "not suitable" when it's really just pure laziness. It takes two seconds to create a secret key and use the HS256 algorithm to generate and verify a signature.
Creating a key is easy; storing it securely and giving access to only the parts of your system that need it takes a bit more work.
Of course, if you trust your network and the parties involved well enough that you'd be fine with unencrypted and unauthenticated data, I guess it doesn't matter if you just check the key into a git repo somewhere... but then you're potentially normalizing bad practices, even if in that particular instance it might be ok.
