Ask HN: How do you test the security of your API?

Hi friends - I am looking for some guidance on what are the best tools and practices for testing the security of your API? I don’t mean things like OWASP ZAP which are mostly focused on web application scans but tooling for auditing e.g. REST API backends of mobile apps or headless pages.

Any practical tips are welcome.