REST API testing checklist I have refined over 5 years — share yours

Here's the checklist I run through when writing API tests for a new endpoint. Not exhaustive but covers 90% of what matters: **Happy path** - [ ] Valid request returns expected status code - [ ] Response body matches schema (type and shape, not just field names) - [ ] Response headers correct (Content-Type, Cache-Control if relevant) **Input validation** - [ ] Missing required fields → 400 or 422 - [ ] Wrong data types → 400 - [ ] Boundary values (empty string, 0, max int, very long strings) - [ ] SQL injection strings, HTML in text fields **Auth / Permissions** - [ ] Unauthenticated → 401 - [ ] Wrong role → 403 - [ ] Resource owned by another user → 403 or 404 (never 200) **State** - [ ] Idempotency where claimed (PUT, DELETE) - [ ] POST creating duplicate resource - [ ] Soft-deleted records aren't returned What's on your checklist that's not here?