TypeScriptZodValidationAPI Design

Zod runtime validation in Next.js API routes: what TypeScript alone can't catch

Oliver White

2 May 2026 · 6 min read

At the API boundary — HTTP request bodies, query parameters, webhook payloads — TypeScript has no power. It enforces types within your codebase at compile time, but it cannot verify what arrives over the network at runtime. Zod fills that gap: it validates inputs at the edge of your system, before any Redis call or database query forms.

What TypeScript can't protect you from

Consider this vote API handler. TypeScript is happy — it compiles cleanly. But what happens when an attacker sends a malformed request?

typescript

// ❌ TypeScript thinks this is fine — it will runtime-error in production
export async function POST(request: Request) {
  const body = await request.json();
  // TypeScript assumes body has the shape you expect — it doesn't verify it
  const { artwork_id, contest_id } = body as { artwork_id: string; contest_id: string };

  // What if artwork_id is undefined? Or a SQL injection string? Or 50,000 characters long?
  await supabase.rpc('submit_vote', { p_artwork_id: artwork_id, p_contest_id: contest_id });
}

Zod validates at runtime, not compile time

typescript

// lib/validators.ts
import { z } from 'zod';

export const VoteSchema = z.object({
  artwork_id: z.string().uuid('Invalid artwork ID'),
  contest_id: z.string().uuid('Invalid contest ID'),
});

// app/api/v1/vote/route.ts
export async function POST(request: Request) {
  const requestId = generateRequestId();

  let body: unknown;
  try { body = await request.json(); }
  catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }); }

  const parsed = VoteSchema.safeParse(body);
  if (!parsed.success) {
    logger.warn({ requestId, errors: parsed.error.flatten() }, 'validation failed');
    return NextResponse.json({ error: 'Invalid input', details: parsed.error.flatten() }, { status: 400 });
  }

  // parsed.data is now typed AND validated at runtime
  const { artwork_id, contest_id } = parsed.data;
  // ...
}

Input	TypeScript (compile-time)	Zod (runtime)
"valid-uuid-here"	✓ accepts string	✓ accepts valid UUID
"not-a-uuid"	✓ accepts string	✗ rejects — not UUID format
undefined	✗ type error (if typed)	✗ rejects — required field
null	✗ type error (if typed)	✗ rejects — not a string
"; DROP TABLE votes;"	✓ accepts string	✗ rejects — not UUID format
12345 (number)	✗ type error	✗ rejects — not a string

✓

UUIDs have a strict format: 8-4-4-4-12 hexadecimal characters. z.string().uuid() rejects anything that doesn't match — including SQL injection attempts, oversized strings, and type confusions. This eliminates an entire class of injection risk before the query even forms.

The validation order matters

Every API route in AI Art Arena follows the same order: parse JSON, Zod validate, rate limit check, auth check, database call. This sequence is not arbitrary — it's designed to fail fast on cheap checks before doing expensive ones:

Parse JSON — free, catches malformed payloads immediately
Zod validate — cheap CPU, catches invalid inputs before any I/O
Rate limit — one Redis read, protects downstream from abuse
Auth check — session validation, gates privileged operations
Database call — most expensive, only runs if everything above passes

An attacker sending malformed payloads never touches Redis or the database. An anonymous user hitting the rate limit never triggers a database query. The order enforces a performance and security pyramid.

Built with this methodology

TypeScript catches type errors at compile time. At the API boundary — HTTP request bodies, query parameters, webhook payloads — TypeScript has no power. Zod validates at runtime, before anything touches Redis or the database.

See the live platform this post documents →

From the build log

Next.jsAuthentication

Three bugs, one session: fixing a NextAuth v5 race condition, Next.js 16 async params, and broken contest URLs

Read →

PostgreSQLSupabase

PostgreSQL SECURITY DEFINER functions: atomic votes, 80% latency reduction, zero race conditions

Read →

Written by

Oliver White →

← All posts

TypeScriptZodValidationAPI Design

Zod runtime validation in Next.js API routes: what TypeScript alone can't catch

Oliver White

2 May 2026 · 6 min read

What TypeScript can't protect you from

Consider this vote API handler. TypeScript is happy — it compiles cleanly. But what happens when an attacker sends a malformed request?

typescript

// ❌ TypeScript thinks this is fine — it will runtime-error in production
export async function POST(request: Request) {
  const body = await request.json();
  // TypeScript assumes body has the shape you expect — it doesn't verify it
  const { artwork_id, contest_id } = body as { artwork_id: string; contest_id: string };

  // What if artwork_id is undefined? Or a SQL injection string? Or 50,000 characters long?
  await supabase.rpc('submit_vote', { p_artwork_id: artwork_id, p_contest_id: contest_id });
}

Zod validates at runtime, not compile time

typescript

// lib/validators.ts
import { z } from 'zod';

export const VoteSchema = z.object({
  artwork_id: z.string().uuid('Invalid artwork ID'),
  contest_id: z.string().uuid('Invalid contest ID'),
});

// app/api/v1/vote/route.ts
export async function POST(request: Request) {
  const requestId = generateRequestId();

  let body: unknown;
  try { body = await request.json(); }
  catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }); }

  const parsed = VoteSchema.safeParse(body);
  if (!parsed.success) {
    logger.warn({ requestId, errors: parsed.error.flatten() }, 'validation failed');
    return NextResponse.json({ error: 'Invalid input', details: parsed.error.flatten() }, { status: 400 });
  }

  // parsed.data is now typed AND validated at runtime
  const { artwork_id, contest_id } = parsed.data;
  // ...
}

Input	TypeScript (compile-time)	Zod (runtime)
"valid-uuid-here"	✓ accepts string	✓ accepts valid UUID
"not-a-uuid"	✓ accepts string	✗ rejects — not UUID format
undefined	✗ type error (if typed)	✗ rejects — required field
null	✗ type error (if typed)	✗ rejects — not a string
"; DROP TABLE votes;"	✓ accepts string	✗ rejects — not UUID format
12345 (number)	✗ type error	✗ rejects — not a string

✓

The validation order matters

Parse JSON — free, catches malformed payloads immediately
Zod validate — cheap CPU, catches invalid inputs before any I/O
Rate limit — one Redis read, protects downstream from abuse
Auth check — session validation, gates privileged operations
Database call — most expensive, only runs if everything above passes

Built with this methodology

See the live platform this post documents →

From the build log

Next.jsAuthentication

Three bugs, one session: fixing a NextAuth v5 race condition, Next.js 16 async params, and broken contest URLs

Read →

PostgreSQLSupabase

PostgreSQL SECURITY DEFINER functions: atomic votes, 80% latency reduction, zero race conditions

Read →

Written by

Oliver White →

← All posts