I went through 2,400 of our team's API test assertions last month. 91% of them fall into three categories.*
That number surprised me.
Not because it was low.
Because it was so high.
I expected to find dozens of assertion patterns:
- Header assertions
- Pagination assertions
- Security assertions
- Performance assertions
- Database validations
- Custom business rules
Instead, almost everything we had written could be grouped into just three buckets.
When I removed duplicate patterns and categorized the assertions, 91% of them fit into:
- Schema Assertions
- Identity Assertions
- Side-Effect Assertions
The remaining 9%?
Most of them probably shouldn't exist.
If you're building or maintaining REST API tests, understanding these three categories will dramatically simplify how you think about testing.
Why Most API Test Suites Become Hard to Maintain
A lot of test suites grow organically.
A developer writes:
expect(response.status).toBe(200);
Another adds:
expect(response.body.name).toBe('John');
Someone else adds:
expect(response.body.items.length).toBe(3);
Eventually the suite contains thousands of assertions.
Many of them:
- Duplicate each other
- Validate implementation details
- Add maintenance without adding confidence
The goal isn't to write more assertions.
The goal is to write the assertions that actually matter.
1. Schema Assertions (The One Most Tests Skip)
This is the most undervalued type of API assertion.
A schema assertion answers:
Does the response still match the contract?
Suppose your endpoint returns:
{
"id": 123,
"name": "John Smith",
"email": "john@example.com"
}
Tomorrow someone changes it to:
{
"id": "123",
"fullName": "John Smith"
}
The endpoint still returns:
200 OK
But consumers may immediately break.
This is why schema assertions matter.
What Schema Assertions Validate
- Required fields exist
- Data types are correct
- Fields have not disappeared
- Arrays contain the right structure
- Response contracts remain compatible
Example JSON Schema Assertion
expect(response.body).toMatchSchema({
type: 'object',
required: ['id', 'name'],
properties: {
id: {
type: 'integer'
},
name: {
type: 'string'
}
}
});
Why Teams Skip This
Because checking:
expect(response.status)
.toBe(200);
feels sufficient.
It isn't.
The biggest API regressions I see are contract changes that still return successful responses.
This is why json schema assertion techniques provide so much value.
Copy-Paste Template: Schema Assertion
expect(response.body)
.toMatchSchema(schema);
Or:
expect(response.body.id)
.toEqual(expect.any(Number));
2. Identity Assertions (The Value You Actually Care About)
This is the category most people think of when they hear "API testing."
An identity assertion answers:
Did the API return the correct business value?
Example:
{
"discount": 20
}
The contract may be valid.
The endpoint may return 200.
But if the expected discount is:
{
"discount": 50
}
the API is still broken.
Identity Assertions Validate
- Business calculations
- Field values
- Sorting
- Filtering
- Authorization decisions
- Domain rules
Example
expect(response.body.discount)
.toBe(20);
Or:
expect(response.body.status)
.toBe('ACTIVE');
Why Identity Assertions Matter
Customers care about values.
They do not care that:
{
"discount": {
"type": "integer"
}
}
is valid.
They care that the discount is correct.
Copy-Paste Template: Identity Assertion
expect(response.body.field)
.toBe(expectedValue);
Or:
expect(response.body)
.toEqual(expectedObject);
3. Side-Effect Assertions (The Ones That Prove the Work Happened)
This category gets overlooked surprisingly often.
An API can return:
200 OK
and still fail completely.
Consider:
POST /orders
The endpoint returns success.
But:
- The database row wasn't created.
- The message wasn't published.
- The email wasn't sent.
The business process failed.
Side-Effect Assertions Validate
- Database writes
- Queue messages
- Event publication
- Emails
- Audit logs
- Third-party integrations
Example Database Assertion
expect(orderRepository.find(orderId))
.not.toBeNull();
Example Queue Assertion
expect(queue.contains(orderCreatedEvent))
.toBe(true);
Why Side Effects Matter
Many APIs exist solely to trigger something else.
The response itself is often the least important part.
For example:
POST /payments
Nobody cares about:
{
"success": true
}
What matters is:
- Was the payment captured?
- Was the invoice generated?
- Was the receipt sent?
Copy-Paste Template: Side-Effect Assertion
expect(databaseRecord)
.toExist();
Or:
expect(publishedEvent)
.toBeDefined();
The 9% That Didn't Fit
After categorizing our assertions, around 9% remained.
Examples included:
expect(response.body.items.length)
.toBe(5);
expect(response.body.createdAt)
.toBe('2026-07-01');
expect(response.body.version)
.toBe('1.2.8');
Many of these were:
- Brittle
- Overly specific
- Tied to implementation details
Why Most of Them Should Be Deleted
Ask yourself:
If this assertion failed tomorrow, would users actually notice?
If the answer is:
Probably not.
Delete it.
A surprising amount of maintenance comes from assertions that don't provide meaningful confidence.
Bad Assertions
expect(responseTime)
.toBe(183);
expect(itemCount)
.toBe(17);
expect(timestamp)
.toEqual('2026-07-28T08:00:00Z');
These tend to break constantly.
Better Assertions
expect(responseTime)
.toBeLessThan(500);
expect(itemCount)
.toBeGreaterThan(0);
expect(timestamp)
.toBeDefined();
These are more resilient.
The Assertion Pyramid I Recommend
Whenever I write a new API test, I ask three questions.
First
Does the response still match the contract?
→ Schema Assertion.
Second
Did the API return the correct business value?
→ Identity Assertion.
Third
Did the system actually perform the work?
→ Side-Effect Assertion.
Most useful tests contain at least one of these categories.
Many contain all three.
Example:
expect(response.body)
.toMatchSchema(userSchema);
expect(response.body.name)
.toBe('John');
expect(databaseUser)
.toExist();
Three assertions.
Three different guarantees.
High confidence.
Low maintenance.
Final Thoughts
When we reduced our thousands of assertions down to categories, we realized something important:
Most API testing is simpler than we make it.
The majority of valuable assertions answer only three questions:
- Is the contract still valid?
- Is the business value correct?
- Did the side effect happen?
Everything else should justify its existence.
If an assertion doesn't increase confidence or protect against meaningful regressions, it may not belong in the suite.
That's why I now start every API test by deciding which of these three categories I'm actually trying to validate.
If you'd like to go deeper into building maintainable API suites, I highly recommend the REST API testing best practices guide:
https://totalshiftleft.ai/blog/rest-api-testing-best-practices
Because the best API tests aren't the ones with the most assertions.
They're the ones with the right assertions.
Top comments (0)