A focused playbook for catching broken object and function level authorization in APIs. You get a four-step test loop (create two accounts, capture flows as Account A, replay with Account B's token, hit sibling and nested endpoints), plus the surfaces people actually forget to lock down: nested resources, alternate HTTP verbs on the same route, hidden JSON fields like "role" or "verified" that shouldn't be client-writable. The routing is smart too, pointing you toward JWT abuse or GraphQL skills when the problem shifts layers. Honestly more useful as a checklist than a deep methodology guide, but that's exactly what you need when you're staring at `/api/v1/users/123` and wondering what else is broken.
npx skills add https://github.com/yaklang/hack-skills --skill api-authorization-and-bola