Field filtering for APIs
Cut payload size and response latency by letting clients request exactly the fields they need. This recipe walks through wiring a Meridian endpoint with sparse fieldsets, validating user input, and projecting only the requested columns at the storage layer.
1.Accept a fields query parameter
Convention: clients pass a comma-separated fields param like ?fields=id,name,createdAt. Parse it once at the edge and pass an allow-listed array down to your data layer. Never trust raw input as a column projection.
2.Validate against an allow-list
Reject unknown fields with a 400 response. This prevents SQL injection vectors when the projection touches your ORM and gives clients a fast, deterministic error instead of a silent fallback.
const ALLOWED = new Set([
'id', 'name', 'createdAt', 'status'
]);
export function parseFields(raw) {
if (!raw) return null;
const fields = raw.split(',').map(s => s.trim());
const bad = fields.filter(f => !ALLOWED.has(f));
if (bad.length) {
throw new Error('Unknown fields: ' + bad.join(','));
}
return fields;
}3.Project at the storage layer
Push the field list into your SELECT statement or ORM projection. Avoid hydrating full rows then discarding columns in JavaScript — that loses the latency win. With Meridian, the runtime tracks projection cost per request and surfaces it in your dashboard so you can spot endpoints that over-fetch.