Looks good to me.
Clearly, only the intended user/owner of your device ever gets to see any webpage containing any ajax requests to external servers of any kind. Thus, all my warnings about broadcasting your access_token are out of context and do not apply at all. (Pretty sure I said that already, once or twice, at least.)
So now, the only issue I see is that, once you turn your cable modem off, you lose control of your sparkcore, because you are still relying on api.spark.com to get those commands through. On the other hand, you already have all the pieces needed to communicate directly with your sparkcore, thus not requiring any link to api.spark.com (or spydrop.com) at all.
What I mean is, instead of only serving up web pages from your spark', as you are at present, have that "tiny web server" also recognise special URIs to command your 'core directly, without any outside involvement. No tinker functions or variables -- no Spark API what-so-ever. No outbound connection to spydrop.com or anywhere else outside you local LAN.
For example, instead of jQuery sending requests to spydrop.com (and then onto api.spark.com, if I understood that correctly) have your sparkcore-served jQuery HTML code send GET requests something like, "http://100.x.x.x/?p1=0". Then have the code on your sparkcore (the tiny web server part) recognise and interpret that URI (?p1=0) to directly turn port 1 (p1) off (0). See? No external servers required. (Yes, you lose or the Spark provided API functionality. But your project does not require any of that -- and you would still retain remote programming from the Web IDE (and all the API functions) so long as your cable modem is up, of course.)
In other words, implement the first TODO in the tiny web server example code ...
void serveWebpage() {
//TODO: read in the request to see what page they want:
... where, "what page they want" can also be, "what LED/relay they want to control".
Hope that made enough sense.
Finally, I just realised that we're now way off the OP's original topic. (Forgot that was not actually you!) So feel free to open a new topic and link to it here, if you like. A subject something like, "Direct local control of sparkcore" may make sense.