I've thought for a while about what you have said and what we discussed, and I'm still unsure.
My vision of the API was a generic type of an API. A developer could write a single application, say an Android app, which can then be used with all boards (provided that the board has the API turned on and the user has permission to use it). In this case it would not be possible to register an application on every board, unless the user that is using the application register the application themselves (doesn't that go against the point). How many phpBB boards are out there? I don't think a developer wants to register with all of them. A centralized solution might be an idea, but I think it has a lot of downsides as well. To create specific applications for each board would probably not be possible. Only the biggest boards would probably consider creating an application using the API, and I'm unsure why they wouldn't just make a custom solution anyway in that case.
However, I could see a dual-auth system. Some board owners may want an API that can be used with any application, some owners may only want to allow registered applications and some may only want to allow their own applications. We could leave it to the board owner to select what's apropriate, using the current auth system for those boards that want to allow all applications, and an OAuth2 solutions for those who want registered applications/own applications. And we could look into a centralized repo like we were discussing in IRC.
But to be honest, I'm not very knowledgeable about OAuth2. Maybe there is a way to implement it without having the application to register everywhere, but from my understanding you do need both an application key and an user key.
I stumbled upon something called JSON Web Tokens on reddit earlier this week.
This blog post mentions OAuth2 compliance as well as self-issuing tokens without a central issuer.
http://jwt.io/. I haven't looked at it very much and I dunno how it can be used or if it even does anything that we want to do (had a busy week so I couldn't look into it very much) but it seems like they also use a HMAC SHA256 solution, with scopes added.