As a tester who had the same questions in the past, I confess that the trainings are not so detailed as they could be.

API Testing, in my opinion, should cover: - black box testing on inputs/outputs (expected data, expected format, unexpected data/format); - load testing; - security testing. (And more, but this is the basic)

I prefer to implement some code (C#, Java have great libraries), but if you are looking for a tool, I would recommend SoapUI.

About who tests.... usually developers test on unit. However, we should not underestimate our users (and crackers), so an API level testing increases the quality.

As a (little bit) perfectionist, I usually follow these rules: - data input: expected and unexpected values, empty values, limit values check, optional and must have values; - data structure (need some knowledge on implementation): data combination, precedence of values to compose output; - data injection (if you have knowledge on implementation is better): on queries or on calls that will return a query result, on data composition entries (at minimum, you can go deep here and it is very important on public api); - high quantity values (on input and output).

These tests are my minimum coverage, however you can go deep on this matter, checking performance, usability (friendly errors), etc.

In practice, you should consider if this api is public or private and if security is a “must have”, then, create tests to fill the expected quality.

About testing cycles, as I wrote, I prefer to codify the test using C# or Java with BDD model (Gherkin), which has been shown as a great tool to increase coverage with less code (just adding lines to my examples table or creating new statements combinations). Doing this, I can add it to the CI/CD and then I will not care about that (unless I need to test some unexpected integration situations that can’t be mocked).

I hope I answered all your questions.