When building APIs, the hardest bugs often come from the easiest oversight: trusting user input. If your controller accepts data as-is and only relies on business logic to catch errors, you’re putting too much responsibility on the wrong layer. Validation isn’t a nice-to-have. It’s a contract.
