Some wikis serve as "backend", and gadgets make write API requests against them without sending the user there. E.g. one might edit an infobox with WE-Framework which makes a Wikidata edit in the background. There are similar use cases for Commons file uploads. We should make sure this works even if the user never visited that wiki before (and thus has no local user account there and/or is not logged in).
The status quo is that when you first log in (even if you autologin, ie. visit a wiki where you were not logged in while having a valid global session), CentralAuth creates accounts and logs you in on all English wikis and all multilingual wikis (including Commons and Wikidata). This is considered a bug (T18864). There is a security argument that autologin should not happen at all (T21161). The same account creation does not seem to happen on registration itself, so if a user registers on enwiki and never goes to any other site, they won't have Commons/Wikidata accounts.
We can use $wgCentralAuthAutoCreateWikis to make sure accounts on wikis always exist, but this does not really help as CORS API request will still fail (? I think so but haven't tested) because the user does not have a session cookie for the second-level domain belonging to that site.
Huh, forgot about that completely. Does it autocreate the user if needed? It seems like it would. If that's the case then the only thing needed is to make sure people can find out about it easier and maybe provide a JS library to make it less annoying to gadget writers, something along the lines of mw.Api.postWithToken. (And maybe not change it after every request? That seems a bit awkward.)