Identify administrative or privileged API endpoints by examining JavaScript source maps, API documentation, and network traffic patterns. - Test whether merchant-level API keys can access endpoints intended for internal use. - Look for HTTP method-based access control issues: can you PUT or DELETE r