I have seen many sites such as
Amazon : (http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html) adding UTC timestamp("seconds since epoch") to HMAC for stopping replay attacks.
Many authentication tutorials and forums like How to securely maintain user authentication through a third party API? are also suggesting this.
I have only one concern in this, can it cause issue when mobile apps communicate with the API, I have checked it will not cause issue on Web when communicating with API's on web with PHP.