Most teams I have worked with have one auth test in their suite. It looks like this: test ( ' valid token verifies ' , () => { const token = signSync ({ sub : ' user-1 ' , aud : ' api://backend ' }, secret ); const result = verify ( token , options ); expect ( result . valid ). toBe ( true ); }); Enter fullscreen mode Exit fullscreen mode That test is fine. It is also a smoke test, not a regression suite. It catches the case where verification is completely broken. It does not catch the case where verification accepts tokens that should be rejected — which is most of the auth bugs that ship to prod. A real auth regression suite asserts that invalid tokens fail with the right code . Each test pairs a token with the failure mode it should produce. If the policy quietly accepts a token that should fail, the suite fails the PR. The audience configuration drift becomes visible the moment it's introduced, not three quarters later when someone writes the post-incident review.…