Understand application functionality
Enumerate the endpoints and identify the parameters that can be used to call the API. Use a tool like Postman to send requests to the API and see the response.
Review the API documentation. This will help understand the functionality of the API and identify the attack surface.