API Endpoint lists can be created by your experiences, pulling words you think might fit or automatically with a tool like Cewl. Here's a few other sources too:
https://github.com/danielmiessler/SecLists
https://github.com/chrislockard/api_wordlist
actuator
health
trace
logfile
metrics
heapdump
status
ping
api-docs
application.wadl
doc
docs
swagger-ui.html
swagger.json
jolokia
apis
api/v1/
healthz
metrics
swagger.json
api/proxy
download
readfile
read_file
fetch
admin
api/proxy?url=
api/payment?id=
heapdump
admin/heapdump
manage/heapdump
actuator/heapdump
solr
Search-Replace-DB/
Search-Replace-DB-master/
adminer.sql
composer.json
manifest.json
temp/
data/
test
debug
backup
old
_admin
backup
application.wadl
metrics
graph
.svn
mw-config
dev
maintenance
status2
_legacy
2
graph
graphiql
graphql
graphql-explorer
graphql/cponsole
heapdump
jenkins/script
manage/hea[du,[
secure/attachmentzip
secure/configurereport.jspa
testing
version
out
sr
sj
charts
secure/configurereport!default.jspa
api/batch
proxy/
metrics
Target/proxy/attacker_IP/attacker_port/
ui/#/app
java
dashboard
pprof
proxy
nomad
nomad/global/
nomad/global/cluster
.php.swp
test/
demo
.git
secret
actuator
beans
service?wsdl
passwords
system/console
config
upload
files
proxy
server-status
web-INF/web.xml