JSON input
valid
Zod output
Paste the JSON object your Next.js Server Action receives and get a Zod schema you can run at the action's entry. Validate untrusted input from any caller — forms, useActionState, fetch — instead of trusting 'use server' to be a boundary it isn't.
Server Actions look like local functions but they're really POST endpoints — the 'use server' directive tells Next.js to expose them over HTTP, and any client that can craft an HTTP request can call them. That makes the action's argument an untrusted boundary, not a trusted in-process call. Wrapping the action body with schema.parse(input) at the top turns malformed or malicious bodies into a single named ZodError at one place, instead of a runtime crash four function calls deep when a missing field surfaces as a property-access on undefined.
The schema generated here pairs with the same-shape TypeScript sibling page: the interface is what your action's argument is typed as, the Zod schema is what runs at runtime. For form submissions wired through react-hook-form's zodResolver, the same schema can validate on the client too — one schema, two boundaries. For FormData callers, run Object.fromEntries(formData) first, then z.coerce.* the numeric and boolean fields (everything in FormData is a string on the wire).