I'm liking how the #RSpec tests are shaping up overall though.
I'd be really interested to get some review from someone with more experience; I did find a few examples of "request" specs (which is the main layer I've decided to start with) around, but there seem to be several different taste preferences going on.
So far, having a "context" for each combination of HTTP verb + endpoint is working out reasonably, and then separate blocks to test unauthenticated / unauthorised / success