I noticed that there doesn't seem to be a limit on how often you can hit the API which could be a very easy way to DDOS a site. Maybe have a limit configurable in the config e.g. 1 API call per 60 seconds. If you exceed that times in say 5 minutes (possibly also configurable) then you're oauth tokens could be dropped (for repeat offenders registration could even be disallowed - however this may punish the user for a bad client)
Ah yes, get enough nodes and any request would but fetching all that data (Some of these api calls can return into the hundreds of kbs of data). Getting and returning that much data could cause a lot of problems (I think anyway - I would have to do some more tests). I think if an exception was raised it would help the case.
There is also the fact it is tied to accounts to make API calls, you could like i suggested begin to deny access at least for a while which would seriously hinder any attempt getting the server to return the level of data that is required for say the inbox endpoint.
So, identi.ca is a pretty popular public site, and we've just never had a problem with this.
I'm going to leave this issue open, since in theory I think it's a possible problem, but I'm probably not going to work much on API limits until or if they become a real problem.