Fuzz deep and wide
To be able to craft requests to an API, and perhaps even already find some information disclosures, security misconfigurations, excessive data exposures, and logic flaws, fuzz all the things, including:
Authentication, authorization & roles (privileges and permissions)
Data input validation, handling & processing
Encryption & sequencing
Business logic, source code & parameter manipulation
Results in validation of vulnerabilities that can or may be exploited.