The oauth token is retrieved post successful login. It is used for the parts of the API that require an authenticated user. The API_KEY is generic and used for the non-authenticated parts.
I completely agree. However, there doesn't seem to be a method for requesting an API key from Kickstarter (as far as I'm aware). I actually got this key from another guy who was reverse engineering the iOS Kickstarter application.
It's better practive for the user to supply their own API_KEY.