AjaxMethods in AjaxPro are using HTTP POST
Methodname is placed in HTTP headers
PrincipalPermission attributes on AjaxMethods
A simple protection agains non-authenticated users is to add a PrincipalPermission attribute to your AjaxMethods. The use of this attributes doesn't differ to the common use of this attribute somewhere else in the .NET framework (i.e. combined with FormsAuthentication in ASP.NET).
Unique client token
There is a possibility to add a token to each request. This token is unique to each client and will be embedded in the html output of the ASP.NET page. Each AJAX request must add this value to the HTTP header values. Because the token is client dependent it is not possible to take it to another client.
Another security built-in feature are the CryptProviders. With this feature you can crypt your JSON message from and to the web server. A very simple web application could display an image with an keyword on it. This keyword will be entered by the user once a new web browser session is started. With this in-memory keyword the crypt provider can do any type of encryption like RSA or Blowfish encryption, the keyword will never be transmitted over the HTTP connection. Instead of displaying and image you could create once the user will register for the service and send it by mail.
I hope this will clear your questions and help you to decide which AJAX framework to use. If you have any more question feel free to contact me, of course. One more note at the end: don't trust any framework to let your web application protect automatically without your help.
*) In the current release there is a small bug which will be corrected this weekend.