Recipe

Validate inputs before you post

Catch validation errors before the API does. The public ring enforces strict input rules server-side, but mirroring them in your client — mandatory consent, a valid email, a flat fields object within size limits — gives users instant feedback and saves a round trip. The server remains the final authority; your checks are a courtesy, not a substitute.

2 min read

consentMust be "yes"
flat≤60 keys, ≤16 KiB
emailValidate format

The rules to mirror

  • form — 1–64 chars, [a-z0-9_-].
  • fields — flat object, ≤60 keys, ≤16 KiB encoded, values string/number/boolean only.
  • fields.email — if present, a valid address.
  • fields.consent — must equal "yes".

Why mirror them

Client-side validation gives immediate, friendly feedback and avoids a wasted request that would just come back as a 422. It improves the experience and reduces load.

The server is still the authority

Never trust the client. The API re-validates everything server-side and rejects anything that does not fit, regardless of what your form allowed. Treat your checks as UX, not security.

Frequently asked questions

If I validate client-side, does the server still check?

Yes, always. The server is the final authority and re-validates every field. Your client checks are for user experience, not enforcement.

What are the size limits on fields?

Up to 60 keys and ≤16 KiB when JSON-encoded, with flat string/number/boolean values only.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.