validator.js

String validation and sanitization library for JavaScript. Provides 100+ validators for common formats: isEmail(), isURL(), isUUID(), isCreditCard(), isPhoneNumber(), isISO8601(), isIP(), isNumeric(), isAlphanumeric(), and many more. Also includes sanitizers (escape, trim, normalizeEmail). Works in both Node.js and browsers. Not an object schema validator — validates individual strings only. Used as the underlying engine in express-validator.

Evaluated Mar 06, 2026 (0d ago) v13.x

Homepage ↗ Repo ↗ Developer Tools validation email url string sanitization javascript node browser typescript

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

100

🔒 Security

TLS Enforcement

100

Auth Strength

100

Scope Granularity

100

Dep. Hygiene

Secret Handling

100

Input validation library — helps prevent XSS and injection via sanitizers. No network surface. escape() and trim() sanitizers prevent common injection attacks.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need to validate specific string formats (email, URL, UUID, phone number) quickly without a full schema validation framework.

Avoid When

You need to validate complete request objects with nested fields and type coercion — use Zod or Joi instead.

Use Cases

• Validate user-submitted email addresses, URLs, phone numbers, and other format-specific strings before storing or using them
• Sanitize user input (HTML escaping, trimming, normalizing email) to prevent XSS and ensure clean data
• Validate API request parameters (UUIDs, ISO dates, IP addresses) in Express middleware or route handlers
• Check if a string is a valid credit card number, IBAN, or other financial format for form validation
• Validate and normalize locale-specific phone numbers using isPhoneNumber with locale support

Not For

• Object schema validation — use Zod, Joi, or Yup for validating entire objects with nested fields and type coercion
• TypeScript type narrowing — validator.js returns boolean, not a type guard; use Zod for type-safe validation
• Business rule validation — validator.js validates format/structure, not business logic

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No authentication — validation utility library.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Fully free, MIT licensed.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ All validators require string input — passing non-string types (number, null, undefined) throws TypeError; always convert to string first with String(value)
⚠ isEmail() applies RFC-compliant validation which may reject some real-world email addresses — use allow_utf8_local_part and allow_display_name options for lenient validation
⚠ isURL() is strict by default — localhost URLs, IP addresses, and custom protocols are rejected unless explicitly allowed via options (require_tld: false, allow_protocol_relative_urls: true)
⚠ Sanitizers mutate and return new strings — they don't modify in place; assign sanitizer result: const clean = validator.escape(input)
⚠ normalizeEmail() changes email format (lowercases, removes Gmail dots) — don't use for email lookup if database stores un-normalized originals
⚠ No object validation — for validating request bodies with multiple fields, use express-validator (which wraps this library) or Zod/Joi

Alternatives

zod-api joi-validation-api yup-api express-validator-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for validator.js.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.