I just updated the sources & binary on the github project page.
It is now possible to access the list of onlineusers through http://yourserver:9090/plugins/onlineusers/list.
If you want it to be public available, add the following property to your system properties in the admin console: plugin.onlineUsers.list.disableAuth and set it to true.
Be aware that you have to restart the server in order to enable this setting. Maybe a plugin restart is also possible, but I didn’t try that.
If this setting is not specified, the standard admin login is required to get the list. I think this is openfire’s default behaviour and I didn’t want to change it to another (with e.g. the secretKey as you proposed).
The list is returned as a JSON array.
Hope you like it.