Zod
TypeScript-first schema validation library with static type inference. Define schemas (z.string(), z.object(), z.array()) and Zod derives both runtime validation and TypeScript types from them — single source of truth. Used extensively for form validation, API input parsing, environment variable validation, and OpenAI function calling schemas in TypeScript agents.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Validation library that prevents malformed data from entering agent logic. No network calls. Type-safe validation prevents class of injection and type confusion vulnerabilities.
⚡ Reliability
Best When
You're writing TypeScript and want a single schema definition that gives you both runtime validation and TypeScript type inference — Zod is the standard choice.
Avoid When
You're not using TypeScript or need schema validation in a language other than JS/TS — Pydantic for Python, JSON Schema validators for other languages.
Use Cases
- • Validate and parse LLM-generated structured output against typed schemas with detailed error messages for retry logic
- • Define OpenAI function calling tool schemas in TypeScript and derive both JSON schema and TypeScript types from Zod definitions
- • Validate environment variables at startup with z.object() to fail fast with clear error messages in agent deployments
- • Parse and validate API request bodies in Node.js agent services with Zod schemas and tRPC integration
- • Validate agent tool call arguments against typed contracts with Zod's parse/safeParse for graceful error handling
Not For
- • Python or non-TypeScript codebases — Zod is TypeScript-only; use Pydantic for Python, Joi for plain JS
- • Simple runtime type checks without TypeScript — Joi or Yup are more mature for plain JavaScript use
- • High-performance validation of millions of records — Zod has some overhead; use faster validators for bulk processing
Interface
Authentication
Local validation library — no authentication required.
Pricing
MIT license. Created by Colin McDonnell.
Agent Metadata
Known Gotchas
- ⚠ z.infer<typeof schema> derives TypeScript types at compile time — the inferred type is only as good as the schema; always verify schema matches expected runtime data structure
- ⚠ safeParse() vs parse() — parse() throws on validation failure while safeParse() returns a discriminated union; always use safeParse() in agent code that handles untrusted input
- ⚠ Optional vs nullish: z.optional() accepts undefined but rejects null; z.nullable() accepts null but rejects undefined; z.nullish() accepts both — API responses often return null for missing fields
- ⚠ z.object().strip() is the default (removes unknown keys) — use z.object().passthrough() to preserve unknown keys or .strict() to reject unknown keys explicitly
- ⚠ Zod 3.x and Zod 4.x (in development) have API changes — lock your version; avoid mixing Zod 3 and Zod 4 in the same project
- ⚠ Large complex nested schemas can increase TypeScript compilation time — for extremely complex agent schemas, consider splitting into smaller schemas composed with z.merge()
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Zod.
Scores are editorial opinions as of 2026-03-06.