almessadi.
Back to Index

TypeScript Still Needs Runtime Validation at the Boundary_

TypeScript is excellent for internal correctness, but once data crosses a trust boundary you need executable validation. That is why Zod fits so well in full-stack TypeScript apps.

PublishedAugust 4, 2024
Reading Time11 min read
Tags
#Frontend#TypeScript#Zod#Architecture

TypeScript makes application code safer. It does not validate untrusted input at runtime.

That sounds obvious, but teams still collapse those two ideas into one. They model a request payload as an interface, cast the incoming data, and act surprised when the system accepts malformed input anyway.

The reason is simple: interfaces disappear at runtime.

Where the Problem Actually Starts

These are trust boundaries:

  • request bodies
  • query parameters
  • environment variables
  • webhook payloads
  • local storage and form data
  • third-party API responses

On the far side of those boundaries, the data is just unknown. If you skip validation there, TypeScript is no longer protecting anything meaningful.

Why Zod Works Well

Zod is useful because the schema exists as executable code:

import { z } from "zod";

export const CreateUserSchema = z.object({
  email: z.string().email(),
  age: z.number().int().positive(),
  name: z.string().min(1),
});

You can validate incoming data directly:

const result = CreateUserSchema.safeParse(req.body);

if (!result.success) {
  return res.status(400).json({
    error: "Invalid payload",
    details: result.error.flatten(),
  });
}

await db.user.create({ data: result.data });

Now the validation logic is real, not implied.

The Best Part in TypeScript Projects

You still get strong types from the same schema:

type CreateUserInput = z.infer<typeof CreateUserSchema>;

That is why Zod feels so natural in full-stack TypeScript applications. You do not have to choose between runtime validation and compile-time ergonomics.

The Trade-Off

The trade-off is explicitness. You are writing schemas on purpose, maintaining them, and deciding where validation belongs. That is work. It is just much better work than debugging malformed payloads after they get deep into the system.

SEO and Product Impact

Validation is not a pure backend concern. Cleaner validation leads to better error handling, more stable forms, fewer broken user flows, and better crawlable application behavior when server responses stay predictable. That helps both reliability and user trust.

Further Reading

Related Writing.

Continue with closely related articles on software engineering, architecture, and implementation trade-offs.

Next.js Server Actions Are Great for UI-Close Mutations

Server Actions reduce boilerplate for form and mutation flows in the App Router, but they are not a reason to delete every explicit API contract.

Mar 02, 2025

How Next.js Image Optimization Actually Works

What `next/image` improves, where the optimization work happens, and the trade-offs you should understand before relying on it heavily.

Feb 18, 2025