Zod, OpenAPI, and Swagger for API Contracts

A public API is not just backend code. It is a product surface for another developer.

That means the contract has to be readable. It also has to be enforced at runtime. Types in the app are useful, but an external script can still send the wrong shape, miss a field, or use an old version of an endpoint.

I like using Zod at the boundary because it makes the expected input explicit.

const CreateRequestSchema = z.object({
  title: z.string().min(1),
  priority: z.enum(["low", "normal", "high"]).default("normal"),
});

This example is intentionally generic. The real point is that the server validates what crossed the boundary. It does not trust a client because the TypeScript type looked correct somewhere else.

OpenAPI solves a different problem. It makes the contract visible. A developer should be able to see the authentication requirement, request body, response shape, and error format without reading the server code.

Swagger or another API documentation UI then gives people a way to inspect and try the API. That is not just convenience. It can reduce support questions because the expected behavior is easier to discover.

The part I try to design carefully is the error shape. A validation error is still a product response. It should be stable enough that another system can handle it.

{
  "error": {
    "code": "validation_failed",
    "message": "The request body is invalid.",
    "fields": {
      "title": "Title is required."
    }
  }
}

The exact format can vary, but it should be consistent. If one endpoint returns message, another returns errors, and another returns a plain string, every integration becomes more brittle.

The main risk is drift. Validation can say one thing while the docs say another. The OpenAPI file can be updated after the code or forgotten during a refactor. That is why I prefer generating as much of the contract as possible from the same schemas used at runtime, or at least keeping tests around the documented examples.

There is a trade-off. API tooling can become heavy if the product does not need a public or partner-facing API yet. For internal routes used only by the app, a full Swagger setup may be more ceremony than value. But when another developer or script depends on the behavior, the extra clarity is worth it.

My practical checklist for an API boundary is:

  • validate runtime input
  • document the request and response
  • keep authentication requirements visible
  • return a stable error shape
  • include one realistic example
  • test the contract path, not only the happy path

I would not describe this as “API-first” for every project. Sometimes the product starts with the web app and the API follows. That is fine. But once the API exists, it deserves the same attention as a screen. It is still a user interface. The user just happens to be another program.

Tags :
Share :

Related Posts

Astro for Documentation and a Professional Site

I use Astro because this site is mostly writing. I do not need a heavy app framework for pages that should load fast and be easy to edit. That sounds simple, but it is the mai

read more

Localization in Product Apps

Localization is not only replacing English strings with another language. In a product app, language touches workflow. It changes labels, validation messages, dates, empty states, permissions copy, d

read more

MCP as a Safe AI Integration Boundary

MCP is interesting because it makes AI integrations feel less like prompt magic and more like software boundaries. That is the part I care about. A model should no

read more

pg-boss for Durable Background Jobs

The customer problem was not "we need a queue". The problem was that a slow operation made the user wait with no clear answer. That distinction matters. A queue is an implementation detail. The produ

read more

Pragmatic Drag and Drop for Real Ordering Tasks

Drag and drop is easy to add for a demo and harder to make reliable for real work. The product question is not "can the item move on screen?" The question is whether the user can safely change an ord

read more

Prisma and PostgreSQL as the Product Source of Truth

I do not think of PostgreSQL as only infrastructure. In a product app, it is where the product remembers what happened. That makes database design a product decision. I

read more

React Router for Full-Stack Product Workflows

A route is not only a URL. In a product app, a route often represents a task the user is trying to finish. That sounds obvious, but it changes how I design the code. A settings page that starts an im

read more

shadcn-Style UI as an Owned Product System

I like copied UI primitives because they make the component library feel like part of the app, not something the app is borrowing. That is the part of the shadcn/ui-style ap

read more

Dense Operational UI with Tables and Editors

Sometimes a simple form is the wrong UI. If the user needs to compare many values and make careful edits, a table can be kinder than a long page of inputs. Dense UI has a bad reputation when it is us

read more

Vercel AI SDK with Explicit Tool Boundaries

The risky part of an AI feature is not the chat UI. The risky part is what the chat is allowed to do. It is easy to make an assistant feel powerful by giving it tools. With something like the [Vercel

read more

Vertical Slice Architecture with Dependency-Cruiser

I like vertical slices because they make a feature easier to delete, move, or review. The folder structure is not the main value. The value is that the code for one workflow is not spread across ten u

read more

Testing Product Workflows with Vitest and Playwright

I do not want a test suite that only proves functions work. I want it to protect the workflows that would hurt if they broke. That does not mean every rule needs a browser test. Browser tests are val

read more

Zod Beyond Validation

Zod is usually introduced as a validation library. That is true, but the more useful idea is boundary definition. A TypeScript type only helps after data is already inside the pro

read more