30.6 Validation Libraries: Zod and TypeBox for Request Validation
Right, let’s talk about keeping the barbarians at the gate. You’ve got an Express or Fastify endpoint, and you’re trusting the internet—a collection of cats, bots, and malicious actors—to send you well-formed, perfectly typed data. Hilarious, right? We both know any is a lie we tell ourselves to feel safe at night. The request body is a terrifying unknown, and it’s our job to turn it into something we can actually use without blowing up the entire application. That’s where runtime validation comes in, and Zod and TypeBox are your two best friends for this particular trench warfare.
Why Runtime Validation is Non-Negotiable
TypeScript’s type safety evaporates at runtime. It’s a compile-time guardian. You can define a beautiful User interface, but the moment a POST request hits your /signup endpoint, that req.body is just a blob of JSON. A user could send { "email": 42, "password": null } and your type system would shrug because it’s already done its job. Without runtime validation, you’re left with:
- Crashing your application with a
Cannot read property 'trim' of nullfive layers deep in your business logic. - Writing a ton of tedious, repetitive, and error-prone
ifstatements to check every field. - Letting garbage data into your database, which is a nightmare to clean up later.
A validation library does this dirty work for you, consistently and declaratively. It parses the incoming data against a schema you define and either gives you a perfectly typed object or tells you exactly what went wrong. It’s the bouncer for your API club.
Zod: The Developer Experience Champion
Zod is the new kid on the block who immediately became the life of the party. Its API is so intuitive it feels like cheating. You define a schema, and that schema is the type. Let’s see it in action with Express.
// user.schema.ts
import { z } from 'zod';
// Define the schema. Look at this clarity.
export const UserCreateSchema = z.object({
email: z.string().email("Seriously? That's not an email."),
password: z.string().min(8, "Password must be at least 8 characters, champ."),
age: z.number().int().positive().optional(),
});
// Zod automatically infers the TypeScript type. Magic.
export type UserCreate = z.infer<typeof UserCreateSchema>;
Now, let’s use it in a route. Notice how we’re not just checking the data, we’re parsing it. Zod will strip out any unknown fields by default, which is a security and sanity best practice.
// user.routes.ts
import { Request, Response, NextFunction } from 'express';
import { UserCreateSchema } from './user.schema';
export const createUser = async (
req: Request,
res: Response,
next: NextFunction
) => {
try {
// This is the crucial line. `parse` returns the fully typed object
// or throws a ZodError with detailed information.
const parsedData: UserCreate = UserCreateSchema.parse(req.body);
// Now you can use `parsedData` with 100% confidence.
// `parsedData.email` is a string, `parsedData.age` is number | undefined.
const newUser = await userService.create(parsedData);
res.status(201).json(newUser);
} catch (error) {
// Zod errors are structured and easy to format for the client.
if (error instanceof ZodError) {
res.status(400).json({
message: 'Invalid input',
errors: error.errors,
});
} else {
next(error); // Pass on to your general error handler
}
}
};
The beauty here is the single source of truth. You change the schema, and the type UserCreate changes with it. No keeping them in sync manually. It’s brilliant.
TypeBox: The Performance-Conscious Choice
Now, what if you’re a performance nut? Or you’re using Fastify, which has validation baked into its very soul? Meet TypeBox. Its superpower is that it creates JSON Schema, a standard that tools like Fastify’s ajv integrator understand natively and can optimize the hell out of.
// user.schema.ts
import { Static, Type } from '@sinclair/typebox';
// This looks similar, but it's building a JSON Schema object under the hood.
export const UserCreateSchema = Type.Object({
email: Type.String({ format: 'email' }),
password: Type.String({ minLength: 8 }),
age: Type.Optional(Type.Integer({ minimum: 0 })),
});
// You can still infer the TypeScript type, same as Zod.
export type UserCreate = Static<typeof UserCreateSchema>;
Where TypeBox truly shines is its integration with Fastify. The marriage is so seamless it’s almost unfair.
// user.routes.ts with Fastify
import { FastifyInstance } from 'fastify';
export default async function (fastify: FastifyInstance) {
fastify.post<{ Body: UserCreate }>(
'/signup',
{
// This is the magic. You pass the TypeBox schema directly to Fastify.
schema: {
body: UserCreateSchema,
response: {
201: UserCreateSchema, // You can validate responses too!
},
},
},
async (request, reply) => {
// No manual parsing needed! Fastify has already validated the body.
// `request.body` is now typed as `UserCreate` and guaranteed to be valid.
const newUser = await userService.create(request.body);
reply.code(201).send(newUser); // Response will also be validated against the schema.
}
);
}
Fastify + TypeBox is a powerhouse duo. The validation happens at the framework level, often at a much higher performance tier than Zod can manage in a simple Express middleware, because ajv compiles schemas. It’s a thing of beauty.
The Showdown: Which One Should You Pick?
This isn’t a cop-out answer: it depends on your context.
- Choose Zod if you value developer experience above all else. Its error messages are fantastic, its API is a joy to use, and it has a richer set of transformers and utilities out of the box. It’s perfect for Express applications or any project where you want the best possible DX.
- Choose TypeBox if you’re on Fastify or need raw performance. Its native JSON Schema output is the key. It integrates with the entire ecosystem of JSON Schema tools. If you’re already using OpenAPI/Swagger documentation, TypeBox schemas can often be fed directly into those generators.
The best practice, no matter which you choose, is to keep your validation at the system boundaries. Validate the incoming request immediately and transform it into a known, trusted type. Never let unvalidated data propagate into your core application logic. It’s the only way to sleep soundly after you deploy your API to the chaotic, wonderful, and utterly absurd internet.