// the find
cdimascio/express-openapi-validator
🦋 Auto-validates api requests, responses, and securities using ExpressJS and an OpenAPI 3.1.x or 3.0.x specification
Express middleware that validates incoming requests and outgoing responses against an OpenAPI 3.0/3.1 spec using AJV under the hood. Drop it in before your routes and bad requests get rejected automatically, before they ever hit your handler. Aimed at Node/Express API authors who want their spec to be the source of truth for validation, not a documentation afterthought.
Response validation is on by default opt-in and actually works — most competing middleware only validates requests. OAS 3.1 support landed in v5.4 and is covered by dedicated test suites, not just a checkbox. The test directory is enormous (100+ spec files) and regression tests are named by issue number, which means real-world bug reports become permanent fixtures. Multi-file spec support via $ref works correctly, which is where a lot of validators quietly break.
Response validation intercepts the response stream, which adds measurable latency in high-throughput scenarios — the docs quietly recommend disabling it in production, which undercuts the main selling point. Security validation is pluggable but the default behavior on missing handlers is to pass requests through, which is a footgun if you forget to wire up a handler. It is Express-only at its core; the Koa and Fastify ports live on a separate branch and appear unmaintained. No support for streaming request bodies or multipart validation beyond file uploads — if you send a JSON stream or chunked body, you're on your own.