API Routes Validation

The best practices to validate your API routes payloads using Zod in your Remix Supabase application.

Validating payloads is necessary to ensure your API endpoints receive the expected data. To validate the API, we use Zod.

Zod is a Typescript library that helps us secure our API endpoints by validating the payloads sent from the client and also facilitating the typing of the payload with Typescript.

Using Zod is the first line of defense to validate the data sent against our API: as a result, it's something we recommend you keep doing. It ensures we write safe, resilient, and valid code.

When we write an API endpoint, we first define the schema of the payload:

tsx

function getBodySchema() {
  return z.object({
    displayName: z.string(),
    email: z.string().email(),
  });
}

This function represents the schema, which will validate the following interface:

tsx

interface Body {
  displayName: string;
  email: Email;
}

Now, let's write the body of the API handler that validates the body of the function, which we expect to be equal to the Body interface.

tsx

import { throwBadRequestException } from `~/core/http-exceptions`;
export const action: ActionFunction = async ({ request }) => {
  try {
     // we can safely use data with the interface Body
    const schema = getBodySchema();
    const body = await request.json();
    const { displayName, email } = schema.parse(body);
    return sendInvite({ displayName, email });
  } catch(e) {
    return throwBadRequestException();
  }
}

I encourage you to never skip the validation step when writing your API endpoints.

import { throwBadRequestException } from `~/core/http-exceptions`; export const action: ActionFunction = async ({ request }) => { try { // we can safely use data with the interface Body const schema = getBodySchema(); const body = await request.json(); const { displayName, email } = schema.parse(body); return sendInvite({ displayName, email }); } catch(e) { return throwBadRequestException(); } }