Validation Best Practices
Validate at the boundary and trust types inside your domain.
How to Use This List
- Review during design reviews and before production deploys.
- Convert repeat failures into automated CI policy where possible.
- Revisit after framework minor upgrades.
Boundary
- Validate HTTP, queue, and file inputs with Pydantic.
- Use extra='forbid' on external payloads.
- Map to domain types after validation.
Models
- Split input, internal, and output models.
- Avoid mutable defaults; use default_factory.
- Keep validators small and deterministic.
Performance
- Prefer model_validate_json on hot paths.
- Reuse models; avoid redefining dynamically.
- Profile before micro-optimizing Python validators.
Security
- Never log full payloads with secrets.
- Cap string and list sizes with Field constraints.
- Treat validation as security gate zero.
FAQs
When should I adopt Pydantic validation practices?
Use it when the patterns and trade-offs on this page match your API or data boundary.
What is the top production mistake with Pydantic validation practices?
Skipping validation, timeouts, or explicit error contracts at the HTTP edge.
How do I test Pydantic validation practices?
Use the framework test client, override dependencies, and assert status plus JSON shape.
Does Pydantic validation practices work with Python 3.14?
Yes - examples target Python 3.14 with pinned framework versions from the stack footer.
How does Pydantic validation practices relate to Pydantic 2?
Validate and serialize at boundaries; keep services working with typed domain objects.
Sync or async?
Prefer async routes when I/O dominates; keep CPU work small or offload to workers.
Where should business logic live?
Thin handlers; services own rules; repositories own queries.
How do I document APIs?
Publish OpenAPI or schema docs that match response models in code.
How do I handle versioning?
Explicit URL or header versioning with deprecation windows - avoid silent breaks.
What should I read next?
Follow the Related links for the next layer of depth in this section.
How do I stay secure?
Authenticate callers, authorize per resource, rate-limit, and never log secrets.
Performance first step?
Measure DB and upstream latency before swapping frameworks.
Related
- Pydantic Basics - Core models
- Validators - Custom rules
- Serialization - model_dump
- Settings Management - env config
Stack versions: This page was written for Python 3.14.0 (stable 3.14, maintenance 3.13), FastAPI 0.115+, Django 5.2, Flask 3.1, Pydantic 2, PyTorch 2.6+, pandas 2.2+, Polars 1.x, ruff 0.9+, and uv 0.6+.