Paul, it’s ok, thats’s how we all started. 
The script is executed on the server, so everything somebody else can see is the response of the request, not the source code.
I would do something like this. It takes all the parameters, adds the access token, and sends it to the api.
<?php
$device = $_REQUEST["device"];
$method = $_REQUEST["method"];
if(!$device||!$method) die("device or method param missing\n");
// add access token
$_REQUEST["access_token"] = "12399....123123";
// create params
$params = http_build_query($_REQUEST);
// make request
$url = "https://api.spark.io/v1/devices/" . $device . "/" . $method . "?" . $params;
$response = file_get_contents($url);
echo $response;
?>
PS: I didn’t test it 