Authentication (are users really who they say they are?) Authorization (do users have the right permissions?) Data protection (like encryption, safe storage) Session management (handling login sessions safely) Input validation (preventing attacks like SQL Injection, XSS) Focus areas: Functional testing (correct responses) Performance testing (speed, reliability) Security testing (who can access what) Error handling (how the API behaves when something goes wrong) Tools: Postman, SoapUI, Rest Assured, JMeter Things tested: Endpoints (GET, POST, PUT, DELETE methods) Request and response structure Authentication (API keys, OAuth, etc.)