Problem Statement

When working with API responses on the frontend, we often start with an implicit assumption:

If types are generated from OpenAPI, the response is safe.

The combination of TypeScript and OpenAPI significantly improves frontend productivity.
However, it does not guarantee the safety of API responses at runtime.

TypeScript types exist only at compile time.
Data received from the server at runtime still lives in a zone of trust.

In this post, I revisit a Swagger-based API generation setup and redefine how much responsibility the frontend should reasonably take for API responses, and why I ended up choosing Orval in that process.

The Existing Setup and Its Limitations

This project adopted swagger-typescript-api from the beginning, generating type definitions and API functions directly from OpenAPI documents.

This approach had clear advantages:

• API interfaces were explicit
• Type definitions stayed in sync with backend contracts
• Frontend boilerplate was significantly reduced

However, the limitations were equally clear:

• There was no runtime validation for API responses
• Invalid responses were still consumed directly by the UI
• Type safety only existed at compile time

I never experienced a production incident caused by runtime type mismatches.
But that was not because the structure was inherently safe — it was simply because the problem had not occurred yet.

How Far Should Runtime Validation Go?

Zod was already part of the codebase, but its responsibility was clearly scoped to user input (User I/O) validation.

Extending Zod to API responses presented two options:

1. Manually rewrite every API response interface as a Zod schema
2. Give up runtime validation entirely and fully trust the backend

The first option had a high cost with unclear returns. The second meant the frontend would take no responsibility at all for API response correctness.

What I needed instead was a way to derive both static types and runtime validation from the same source.

Why Orval

Orval can generate the following directly from OpenAPI specifications:

• API clients
• React Query–based hooks
• Zod-based runtime schemas
• And additional client configurations depending on use cases

This made it possible to keep the API specification as a single source of truth while securing both static typing and runtime validation.

Frontend code no longer needed to manually manage Zod schemas.
API response validation could be handled consistently through a shared parsing layer.

Migration Strategy

The migration focused on preserving the existing structure as much as possible:

• Custom hooks were kept intact
• Orval-generated query hooks were used internally
• Zod-based validation was applied at the select stage

This approach minimized structural changes while introducing a validation gate before data reached the UI.

When invalid responses appear, the UI no longer renders broken states. Instead, they follow a clear validation error flow.

Generated Code and Bundle Size

Although the number of generated files increased, the Vite-based bundling setup ensured that only actually used code was included.

Since gzip compression was already in place, no additional performance issues were introduced.

Limitations and Trade-offs

This structure does introduce a clear learning curve:

• A solid understanding of React Query and Zod is required
• Generated code and abstraction layers are not always easy to follow

After the migration, team members unfamiliar with the structure faced a noticeable learning cost.

This was a deliberate trade-off:
consistency and safety in exchange for higher onboarding effort.

Conclusion

The goal of this migration was not to make API responses “perfectly safe.” Instead, I wanted to redefine API responses on the frontend as follows:

• API responses are not trusted, they are validated
• Runtime validation is a domain-level responsibility, not a UI concern
• Static types and runtime validation should originate from the same schema

Within these constraints, Orval proved to be a reasonable choice.