Request Validation (Zod/Joi)

Request validation ensures that incoming API data conforms to expected types, formats, and business rules before reaching business logic. Libraries like Zod (TypeScript-first, zero dependencies) and Joi (JavaScript, mature ecosystem) allow developers to define schemas declaratively and validate input at the API boundary. Validation should cover request bodies, query parameters, path parameters, and headers, catching malformed input early and returning clear error messages.

Zod has become the preferred choice in TypeScript projects because it infers static types from schemas, eliminating the need to maintain separate TypeScript interfaces and validation schemas. A Zod schema like z.object({ email: z.string().email(), age: z.number().int().min(18) }) serves as both the runtime validator and the TypeScript type. Joi remains popular in JavaScript projects and offers a rich set of built-in validators and custom validation support.

Validation errors should be returned as structured 400 or 422 responses with field-level error details: which field failed, what rule was violated, and what value was received (unless sensitive). A common pattern is to validate at the controller/handler layer using middleware, stripping unknown fields (Zod's .strict() or .strip()) to prevent mass assignment vulnerabilities. Validation schemas should be co-located with route definitions and exported for use in API documentation generation and client SDK type generation.