It depends if you are testing a newly build API or already build API.
When you are building a new API it’s easy but when you get dropped into an application which already has tons of API’s. I focus on the Happy Flow & the most common business flow.
After that I tend to go for write operations POST/PUT/PATCH, since there is (most of the time) a lot to test compared to a GET and validate data.
What also is important and I’m glad you liked the test pyramid is to have a chit chat with your developers about what they test so you don’t test the same thing twice.
This might be an interesting topic for you @m.zn : What do you assert on when doing API testing? - #5 by meowy24
- Response Body
- Response Time
- HTTP Status codes (200,201,403,…)
- Response Headers (security headers, Content Type, etc…)
- Cookies (if any are present)
- Cache
- Authorization & Authentication
- JWT Tokens
In all cases happy flows & unhappy flows.