"As a Client Developer, I want to make some API calls without providing an OAuth 2.0 client ID, so that I can test how the API calls work."
Most API calls should include an OAuth 2.0 Authorization: Bearer <xxxx> header.
Idempotent GET and HEAD API calls can be made without an OAuth 2.0 Authorization headers. (All API endpoints that use GET and HEAD should be idempotent.)
API calls without an OAuth Authorization header are subject to per-IP rate limiting.
PUT, DELETE, POST, PATCH and any other write methods are not allowed without an OAuth Authorization: Bearer <xxxx> header. If they're received, they should return a 401 Unauthorized HTTP status.