Attack authentication
Check for bad passwords and password requirements, default credentials, verbose error messaging, and bad password reset processes, broken API authentication, no authentication whatsoever, a lack of rate limiting applied to authentication attempts, the use of a single token or key for all requests, tokens created with insufficient entropy, and JWT configuration weaknesses.
Many of the gifts that keep giving from web applications for decades have been ported over to APIs, plus then some.
Basic authentication testing
Attack and manipulate API tokens