Usernames are case insensitive and can contain any character.
Why not leave that up to the server to decide?
The POST queries return a JSON. If there's a key by the name of "status" then it was successful and the value will give you an update as to what occured. If there's a key called "error" then it was unsuccessful and the value is an error message. The JSONs can also have other entries depending.
Is there a reason not to return either a 302 Found pointing to a bitcoin: URI, or else a standard HTTP error? I don't see why this needs JSON at all...