API security testing checks: BOLA/IDOR (access other users' data), authentication bypass, mass assignment (extra parameters accepted), rate limiting, sensitive data exposure in responses.
OWASP API Security Top 10: BOLA (#1), Broken Auth (#2), Broken Object Property Level Auth (#3), Unrestricted Resource Consumption (#4), BFLA (#5). Tools: Postman, Burp Suite, OWASP ZAP, mitmproxy. Change userId in API requests — BOLA is extremely common in API implementations.