about the authentication, if you are using the browser directly (addon, script, plugin, etc) there is a parameter called "itoken" that has the same value, but I'm not sure it is there any more. maybe you can ask for permission using the common oauth method... and then use it inside the game itself, then you can call /simple/ and /internal/ methods...!
getStatus and feed/playerfeed allows to see more than 5 items, so maybe that's why it requires auth.
but friends.list should be public... maybe there is a parameter to use it without auth... we need to try... :)
I agree that the API shouldn't be more restrictive than the web site. (Otherwise, people will be forced into screen scraping.) But, perhaps they are tightening things up so that you won't be able to get that info from the web site unless you are logged in.