I don't think there is a stock answer to this.
My usual methodology is usually to write a harness in python based on provided documentation and run that through Burp Pro so I can capture the interactions. I also have a self-developed API security framework that I use as a checklist of things that are expected in a "secure" API.
Burp Pro (or Enterprise) and OWASP ZAP Proxy (it's integration for Jenkins is pretty nifty) are good for manual testing. Other than that, you're looking at commercial "enterprise" solutions.
Lastly, I don't think it is valuable testing an API without access to source code. The code should lead your testing.
Sic semper tyrannis.