My thoughts are similar to Hillary(@g33klady)
Documentation: Read any available documention, tools such as swagger can help.
Source code: if possible get access to the source code through repo such as gitlab.
Using the documentation and source code you will know the status code, error messages etc.
Dev Tools: chrome dev tools is incrediblely useful. The network tab shows you all the activity of the API.
‪If you have no documentation or access to source code you can use your exploratory testing skills coupled with tools such as chrome dev tools and fiddler to figure out the API calls from the application.‬
Fiddler: web debugging proxy tool that can capture HTTP(S), as welll as help you test through useful option me such as the ability to throttle traffic.
Wireshark: Network Protocol analyzer
Command line: on Linux use commands such as tcpdump to see the network traffic on an interface.
Logging: Use any available logging tools to look for errors or perhaps sensitive information that should not be logged.
Tracing: use the output from tools such as zipkin for distributed tracing for micro services.