Request Validation at the Edge: Zod Schemas, OpenAPI, and Type-Safe APIs

Your TypeScript types vanish at runtime. Every req.body is any wearing a costume. The Gap Between Types and Reality TypeScript gives you compile-time safety. But HTTP requests don't come from your compiler — they come from the internet. A POST /users endpoint typed as { name: string; email: string } will happily accept { name: 42, email: null } at runtime unless you validate. Most teams handle this one of three ways: Manual if checks scattered through handlers (tedious, incomplete) Class-validator decorators (heavy, reflection-based) Nothing (bold strategy) There's a better path: define your schema once, validate at the edge, generate your OpenAPI spec, and share types across your stack. Zod: Schema as the Source of Truth Zod lets you define schemas that are both runtime validators and TypeScript type generators. import { z } from 'zod'; export const CreateUserSchema = z.object({ name: z.string().min(1).max(100), email: z.string().email(), role: z.enum(['admin', 'member', 'viewer']).de