One really weird thing about the mastodon API to me is that, because of the whole decentralised thing, you need credentials for each server, and so there's an endpoint where you just apply to get some. Need to talk to a server you haven't seen before? Just ask.
"hello, I'd like to be an oauth client please."
"not a problem, here you go."
I can immediately see the potential for abuse but I guess it mustn't be a problem in practice.