I recently wrote an article about how API testing is exploratory, so I won’t spend too much time on this one, but I do want to re-iterate that all testing involves exploration.
When I approach any new testing task (including API testing), I start with exploration. How else are you supposed to figure out what to do? My approach to this in an API is similar to any other area I might be exploring. I start with some piece of information I know (perhaps an API end point) and do something with it (GET the request) and then look at the results of that and see if there is anything interesting or that seems to be out of place. I then follow up on that, making notes along the way, until that line of inquiry has died down.
I will talk to developers and other testers and consult documentation to try and find new starting points and follow them down various branches as they seem interesting, occasionally circling back as I learn more about the application. I take streaks of learning and keep expanding on them as needed until I am satisfied that I have a reasonable understanding of the state of the feature and can articulate it to those that need to know about it.
I use tools along the way of course. Things like Postman and Python and Curl and developer tools in the browser. Anything really that will help me answer the questions I’m curious about and give me insights into other things that might interesting. The tool set might differ in API testing, but the principles are the same. Follow your curiosity. Pay attention to what is happening. Ask lots of questions. Make notes. Grow your mental map. Try new things. In a word, Explore!