Thanks for your response Adam. Here my thoughts on your points:
1) I'm absolutely agree with you on this and I wont just modify taffy meta data things without further discussion. The only thing is, which names to choose as you can see over here there was already a discussion about authentication and metadata:
2) In my understanding the dashboard should not be used just by the API developer for testing the endpoints. I think it's a great tool to provide a fully usable API documentation at no costs. Therefore I'm keen on running the dashboard on the main URL without requiring any further parameters. So application developers (instead of API developers) could use this one to understand how the API works and build their applications on top of it. That's why I think just disabling authentication methods is not an option, since this would open up the doors for anybody to use every API method on production systems as they like to. I've a fair good understanding of OAuth and how it works. So the dashboard may only provide the ability to put into an oauth_token and an oauth_token_secret and use these for the secured API requests - that's it.
3) I'm not sure if it absolutely relies on Node - I'll ask the guys over at mashery to give me a hand on this one.
4) Please do not missunderstand, OAuth isn't a requirement at all for me!! The only thing I want to ensure right now, is to walk the right line. And as I've not seen any possibility yet to add an authentication documentation by using Swagger, this seems not to be possible at all in the future. Whats also missing in Swagger is some sort of declaring private and public functions in the API which then will be published or not (but I think this could be achieved by using some sort of taffy:access meta data kind of thing).