Epic Stack: Forms

When to use this skill

Use this skill when you need to:

Create forms in an Epic Stack application
Implement form validation with Zod
Work with Conform for progressively enhanced forms
Handle file uploads
Implement honeypot fields for spam protection
Handle form errors
Work with complex forms (fieldsets, arrays)

Patterns and conventions

Validation Philosophy

Following Epic Web principles:

Explicit is better than implicit - Make validation rules clear and explicit using Zod schemas. Every validation rule should be visible in the schema, not hidden in business logic. Error messages should be specific and helpful, telling users exactly what went wrong and how to fix it.

Design to fail fast and early - Validate input as early as possible, ideally on the client side before submission, and always on the server side. Return clear, specific error messages immediately so users can fix issues without frustration.

Example - Explicit validation:

// ✅ Good - Explicit validation with clear error messages
const SignupSchema = z.object({
	email: z
		.string({ required_error: 'Email is required' })
		.email({ message: 'Please enter a valid email address' })
		.min(3, { message: 'Email must be at least 3 characters' })
		.max(100, { message: 'Email must be less than 100 characters' })
		.transform((val) => val.toLowerCase().trim()),
	password: z
		.string({ required_error: 'Password is required' })
		.min(6, { message: 'Password must be at least 6 characters' })
		.max(72, { message: 'Password must be less than 72 characters' }),
})

// ❌ Avoid - Implicit validation
const SignupSchema = z.object({
	email: z.string().email(), // No clear error messages
	password: z.string().min(6), // Generic error
})

Example - Fail fast validation:

// ✅ Good - Validate early and return specific errors immediately
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	// Validate immediately - fail fast
	const submission = await parseWithZod(formData, {
		schema: SignupSchema,
	})

	// Return errors immediately if validation fails
	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: 400 }, // Clear error status
		)
	}

	// Only proceed if validation passed
	const { email, password } = submission.value
	// ... continue with signup
}

// ❌ Avoid - Delayed or unclear validation
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()
	const email = formData.get('email')
	const password = formData.get('password')

	// Validation scattered throughout the function
	if (!email) {
		// Generic error, not specific
		return json({ error: 'Invalid' }, { status: 400 })
	}
	// ... more scattered validation
}

Basic setup with Conform

Epic Stack uses Conform to handle forms with progressive enhancement.

Basic setup:

import { getFormProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { z } from 'zod'
import { Form } from 'react-router'

const SignupSchema = z.object({
	email: z.string().email(),
	password: z.string().min(6),
})

export default function SignupRoute({ actionData }: Route.ComponentProps) {
	const [form, fields] = useForm({
		id: 'signup-form',
		constraint: getZodConstraint(SignupSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: SignupSchema })
		},
		shouldRevalidate: 'onBlur',
	})

	return (
		<Form method="POST" {...getFormProps(form)}>
			{/* Form fields */}
		</Form>
	)
}

Integration with Zod

Conform integrates seamlessly with Zod for validation.

Define schema:

import { z } from 'zod'

const SignupSchema = z
	.object({
		email: z.string().email('Invalid email'),
		password: z.string().min(6, 'Password must be at least 6 characters'),
		confirmPassword: z.string(),
	})
	.superRefine(({ confirmPassword, password }, ctx) => {
		if (confirmPassword !== password) {
			ctx.addIssue({
				path: ['confirmPassword'],
				code: 'custom',
				message: 'Passwords must match',
			})
		}
	})

Validation in action (fail fast):

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	// Validate immediately - explicit and fail fast
	const submission = await parseWithZod(formData, {
		schema: SignupSchema,
	})

	// Return explicit errors immediately if validation fails
	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// Only proceed if validation passed - submission.value is type-safe
	const { email, password } = submission.value
	// ... process with validated data
}

Async validation

For validations that require querying the database:

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	const submission = await parseWithZod(formData, {
		schema: SignupSchema.superRefine(async (data, ctx) => {
			const existingUser = await prisma.user.findUnique({
				where: { email: data.email },
				select: { id: true },
			})
			if (existingUser) {
				ctx.addIssue({
					path: ['email'],
					code: z.ZodIssueCode.custom,
					message: 'A user already exists with this email',
				})
			}
		}),
		async: true, // Important: enable async validation
	})

	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// ...
}

Field Components

Epic Stack provides pre-built field components:

Basic Field:

import { Field, ErrorList } from '#app/components/forms.tsx'
import { getInputProps } from '@conform-to/react'

<Field
	labelProps={{
		htmlFor: fields.email.id,
		children: 'Email',
	}}
	inputProps={{
		...getInputProps(fields.email, { type: 'email' }),
		autoFocus: true,
		autoComplete: 'email',
	}}
	errors={fields.email.errors}
/>

TextareaField:

import { TextareaField } from '#app/components/forms.tsx'
import { getTextareaProps } from '@conform-to/react'

<TextareaField
	labelProps={{
		htmlFor: fields.content.id,
		children: 'Content',
	}}
	textareaProps={{
		...getTextareaProps(fields.content),
		rows: 10,
	}}
	errors={fields.content.errors}
/>

CheckboxField:

import { CheckboxField } from '#app/components/forms.tsx'
import { getInputProps } from '@conform-to/react'

<CheckboxField
	labelProps={{
		htmlFor: fields.remember.id,
		children: 'Remember me',
	}}
	buttonProps={getInputProps(fields.remember, { type: 'checkbox' })}
	errors={fields.remember.errors}
/>

OTPField:

import { OTPField } from '#app/components/forms.tsx'

<OTPField
	labelProps={{
		htmlFor: fields.code.id,
		children: 'Verification Code',
	}}
	inputProps={{
		...getInputProps(fields.code),
		maxLength: 6,
	}}
	errors={fields.code.errors}
/>

Error Handling

Display field errors:

<Field
	// ... props
	errors={fields.email.errors} // Errores específicos del campo
/>

Display form errors:

import { ErrorList } from '#app/components/forms.tsx'

<ErrorList errors={form.errors} id={form.errorId} />

Error structure:

fields.fieldName.errors - Errors for a specific field
form.errors - General form errors (like formErrors)

Honeypot Fields

Epic Stack includes spam protection with honeypot fields.

In the form:

import { HoneypotInputs } from 'remix-utils/honeypot/react'

<Form method="POST" {...getFormProps(form)}>
	<HoneypotInputs /> {/* Always include in public forms */}
	{/* Rest of fields */}
</Form>

In the action:

import { checkHoneypot } from '#app/utils/honeypot.server.ts'

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	await checkHoneypot(formData) // Throws error if spam

	// ... rest of code
}

File Uploads

For forms with file uploads, use encType="multipart/form-data".

Schema for files:

const MAX_UPLOAD_SIZE = 1024 * 1024 * 3 // 3MB

const ImageFieldsetSchema = z.object({
	id: z.string().optional(),
	file: z
		.instanceof(File)
		.optional()
		.refine((file) => {
			return !file || file.size <= MAX_UPLOAD_SIZE
		}, 'File must be less than 3MB'),
	altText: z.string().optional(),
})

const NoteEditorSchema = z.object({
	title: z.string().min(1).max(100),
	content: z.string().min(1).max(10000),
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

Form with file upload:

<Form
	method="POST"
	encType="multipart/form-data"
	{...getFormProps(form)}
>
	{/* Fields */}
</Form>

Process files in action:

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	const submission = await parseWithZod(formData, {
		schema: NoteEditorSchema,
	})

	if (submission.status !== 'success') {
		return data({ result: submission.reply() }, { status: 400 })
	}

	const { images } = submission.value

	// Process files
	for (const image of images ?? []) {
		if (image.file) {
			// Upload file, save to storage, etc.
		}
	}

	// ...
}

Fieldsets y Arrays

For forms with repetitive fields (like multiple images):

Schema:

const ImageFieldsetSchema = z.object({
	id: z.string().optional(),
	file: z.instanceof(File).optional(),
	altText: z.string().optional(),
})

const FormSchema = z.object({
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

In the component:

import { FormProvider, getFieldsetProps } from '@conform-to/react'

const [form, fields] = useForm({
	// ...
	defaultValue: {
		images: note?.images ?? [{}],
	},
})

const imageList = fields.images.getFieldList()

return (
	<FormProvider context={form.context}>
		<Form method="POST" {...getFormProps(form)}>
			{imageList.map((image, index) => {
				const imageFieldset = getFieldsetProps(fields.images[index])
				return (
					<fieldset key={image.key} {...imageFieldset}>
						<input
							{...getInputProps(fields.images[index].file, { type: 'file' })}
						/>
						<input
							{...getInputProps(fields.images[index].altText, { type: 'text' })}
							placeholder="Alt text"
						/>
					</fieldset>
				)
			})}

			<button
				type="button"
				onClick={() => fields.images.append()}
			>
				Add Image
			</button>
		</Form>
	</FormProvider>
)

StatusButton

Use StatusButton to display submission status:

import { StatusButton } from '#app/components/ui/status-button.tsx'
import { useIsPending } from '#app/utils/misc.tsx'

const isPending = useIsPending()

<StatusButton
	className="w-full"
	status={isPending ? 'pending' : (form.status ?? 'idle')}
	type="submit"
	disabled={isPending}
>
	Submit
</StatusButton>

Progressive Enhancement

Forms work without JavaScript thanks to Conform:

Native HTML5 validation
Server-side validation
Enhancements with JavaScript when available

You don't need to do anything special - Conform handles this automatically.

Reusable Schema Validation

Create reusable schemas in app/utils/user-validation.ts:

// app/utils/user-validation.ts
import { z } from 'zod'

export const EmailSchema = z
	.string({ required_error: 'Email is required' })
	.email({ message: 'Email is invalid' })
	.min(3, { message: 'Email is too short' })
	.max(100, { message: 'Email is too long' })
	.transform((value) => value.toLowerCase())

export const PasswordSchema = z
	.string({ required_error: 'Password is required' })
	.min(6, { message: 'Password is too short' })
	.refine((val) => new TextEncoder().encode(val).length <= 72, {
		message: 'Password is too long',
	})

export const PasswordAndConfirmPasswordSchema = z
	.object({ password: PasswordSchema, confirmPassword: PasswordSchema })
	.superRefine(({ confirmPassword, password }, ctx) => {
		if (confirmPassword !== password) {
			ctx.addIssue({
				path: ['confirmPassword'],
				code: 'custom',
				message: 'The passwords must match',
			})
		}
	})

Use in forms:

import {
	EmailSchema,
	PasswordAndConfirmPasswordSchema,
} from '#app/utils/user-validation.ts'

const SignupSchema = z
	.object({
		email: EmailSchema,
		username: UsernameSchema,
	})
	.and(PasswordAndConfirmPasswordSchema)

Common examples

Example 1: Simple login form

// app/routes/_auth/login.tsx
import { getFormProps, getInputProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { z } from 'zod'
import { Field, ErrorList } from '#app/components/forms.tsx'
import { StatusButton } from '#app/components/ui/status-button.tsx'

const LoginSchema = z.object({
	email: z.string().email(),
	password: z.string().min(1),
})

export default function LoginRoute({ actionData }: Route.ComponentProps) {
	const isPending = useIsPending()

	const [form, fields] = useForm({
		id: 'login-form',
		constraint: getZodConstraint(LoginSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: LoginSchema })
		},
		shouldRevalidate: 'onBlur',
	})

	return (
		<Form method="POST" {...getFormProps(form)}>
			<Field
				labelProps={{ htmlFor: fields.email.id, children: 'Email' }}
				inputProps={{
					...getInputProps(fields.email, { type: 'email' }),
					autoFocus: true,
					autoComplete: 'email',
				}}
				errors={fields.email.errors}
			/>
			<Field
				labelProps={{ htmlFor: fields.password.id, children: 'Password' }}
				inputProps={{
					...getInputProps(fields.password, { type: 'password' }),
					autoComplete: 'current-password',
				}}
				errors={fields.password.errors}
			/>
			<ErrorList errors={form.errors} id={form.errorId} />
			<StatusButton
				status={isPending ? 'pending' : (form.status ?? 'idle')}
				type="submit"
			>
				Login
			</StatusButton>
		</Form>
	)
}

Example 2: Form with async validation

// app/routes/_auth/signup.tsx
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()
	await checkHoneypot(formData)

	const submission = await parseWithZod(formData, {
		schema: SignupSchema.superRefine(async (data, ctx) => {
			const existingUser = await prisma.user.findUnique({
				where: { email: data.email },
				select: { id: true },
			})
			if (existingUser) {
				ctx.addIssue({
					path: ['email'],
					code: z.ZodIssueCode.custom,
					message: 'A user already exists with this email',
				})
			}
		}),
		async: true,
	})

	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// Procesar signup...
}

Example 3: Form with file upload

// app/routes/users/$username/notes/new.tsx
const NoteEditorSchema = z.object({
	title: z.string().min(1).max(100),
	content: z.string().min(1).max(10000),
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

export default function NewNoteRoute({ actionData }: Route.ComponentProps) {
	const [form, fields] = useForm({
		id: 'note-editor',
		constraint: getZodConstraint(NoteEditorSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: NoteEditorSchema })
		},
		defaultValue: {
			images: [{}],
		},
		shouldRevalidate: 'onBlur',
	})

	const imageList = fields.images.getFieldList()

	return (
		<FormProvider context={form.context}>
			<Form
				method="POST"
				encType="multipart/form-data"
				{...getFormProps(form)}
			>
				<Field
					labelProps={{ children: 'Title' }}
					inputProps={{
						autoFocus: true,
						...getInputProps(fields.title, { type: 'text' }),
					}}
					errors={fields.title.errors}
				/>
				<TextareaField
					labelProps={{ children: 'Content' }}
					textareaProps={{
						...getTextareaProps(fields.content),
						rows: 10,
					}}
					errors={fields.content.errors}
				/>

				{imageList.map((image, index) => {
					const imageFieldset = getFieldsetProps(fields.images[index])
					return (
						<fieldset key={image.key} {...imageFieldset}>
							<input
								{...getInputProps(fields.images[index].file, { type: 'file' })}
								accept="image/*"
							/>
							<input
								{...getInputProps(fields.images[index].altText, { type: 'text' })}
								placeholder="Alt text"
							/>
						</fieldset>
					)
				})}

				<button
					type="button"
					onClick={() => fields.images.append()}
					disabled={imageList.length >= 5}
				>
					Add Image
				</button>

				<ErrorList errors={form.errors} id={form.errorId} />
				<StatusButton type="submit">Create Note</StatusButton>
			</Form>
		</FormProvider>
	)
}

Common mistakes to avoid

❌ Implicit validation: Always use explicit Zod schemas with clear error messages, not hidden validation logic
❌ Delayed validation: Validate input immediately and fail fast - don't wait until the end of the function
❌ Generic error messages: Use specific, helpful error messages that tell users exactly what's wrong
❌ Forgetting async: true in async validation: Always include async: true when using superRefine with async
❌ Not including HoneypotInputs in public forms: Always include honeypot in forms accessible without authentication
❌ Forgetting encType="multipart/form-data": Required for file uploads
❌ Not validating file sizes: Always validate size in the schema
❌ Not using getZodConstraint: Required for native HTML5 validation
❌ Forgetting lastResult in useForm: Required to display server errors
❌ Not using shouldRevalidate: 'onBlur': Improves UX by validating on field blur
❌ Not using pre-built field components: Field, TextareaField, etc. already handle accessibility and errors

References

Conform Documentation
Zod Documentation
Epic Web Principles
app/components/forms.tsx - Field components
app/routes/_auth/signup.tsx - Complete signup example
app/routes/_auth/onboarding/index.tsx - Complex form example
app/routes/users/$username/notes/+shared/note-editor.tsx - File uploads example
app/utils/user-validation.ts - Reusable schemas
docs/decisions/033-honeypot.md - Honeypot documentation

Epic Stack: Forms

When to use this skill

Use this skill when you need to:

Create forms in an Epic Stack application
Implement form validation with Zod
Work with Conform for progressively enhanced forms
Handle file uploads
Implement honeypot fields for spam protection
Handle form errors
Work with complex forms (fieldsets, arrays)

Patterns and conventions

Validation Philosophy

Following Epic Web principles:

Example - Explicit validation:

// ✅ Good - Explicit validation with clear error messages
const SignupSchema = z.object({
	email: z
		.string({ required_error: 'Email is required' })
		.email({ message: 'Please enter a valid email address' })
		.min(3, { message: 'Email must be at least 3 characters' })
		.max(100, { message: 'Email must be less than 100 characters' })
		.transform((val) => val.toLowerCase().trim()),
	password: z
		.string({ required_error: 'Password is required' })
		.min(6, { message: 'Password must be at least 6 characters' })
		.max(72, { message: 'Password must be less than 72 characters' }),
})

// ❌ Avoid - Implicit validation
const SignupSchema = z.object({
	email: z.string().email(), // No clear error messages
	password: z.string().min(6), // Generic error
})

Example - Fail fast validation:

// ✅ Good - Validate early and return specific errors immediately
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	// Validate immediately - fail fast
	const submission = await parseWithZod(formData, {
		schema: SignupSchema,
	})

	// Return errors immediately if validation fails
	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: 400 }, // Clear error status
		)
	}

	// Only proceed if validation passed
	const { email, password } = submission.value
	// ... continue with signup
}

// ❌ Avoid - Delayed or unclear validation
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()
	const email = formData.get('email')
	const password = formData.get('password')

	// Validation scattered throughout the function
	if (!email) {
		// Generic error, not specific
		return json({ error: 'Invalid' }, { status: 400 })
	}
	// ... more scattered validation
}

Basic setup with Conform

Epic Stack uses Conform to handle forms with progressive enhancement.

Basic setup:

import { getFormProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { z } from 'zod'
import { Form } from 'react-router'

const SignupSchema = z.object({
	email: z.string().email(),
	password: z.string().min(6),
})

export default function SignupRoute({ actionData }: Route.ComponentProps) {
	const [form, fields] = useForm({
		id: 'signup-form',
		constraint: getZodConstraint(SignupSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: SignupSchema })
		},
		shouldRevalidate: 'onBlur',
	})

	return (
		<Form method="POST" {...getFormProps(form)}>
			{/* Form fields */}
		</Form>
	)
}

Integration with Zod

Conform integrates seamlessly with Zod for validation.

Define schema:

import { z } from 'zod'

const SignupSchema = z
	.object({
		email: z.string().email('Invalid email'),
		password: z.string().min(6, 'Password must be at least 6 characters'),
		confirmPassword: z.string(),
	})
	.superRefine(({ confirmPassword, password }, ctx) => {
		if (confirmPassword !== password) {
			ctx.addIssue({
				path: ['confirmPassword'],
				code: 'custom',
				message: 'Passwords must match',
			})
		}
	})

Validation in action (fail fast):

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	// Validate immediately - explicit and fail fast
	const submission = await parseWithZod(formData, {
		schema: SignupSchema,
	})

	// Return explicit errors immediately if validation fails
	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// Only proceed if validation passed - submission.value is type-safe
	const { email, password } = submission.value
	// ... process with validated data
}

Async validation

For validations that require querying the database:

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	const submission = await parseWithZod(formData, {
		schema: SignupSchema.superRefine(async (data, ctx) => {
			const existingUser = await prisma.user.findUnique({
				where: { email: data.email },
				select: { id: true },
			})
			if (existingUser) {
				ctx.addIssue({
					path: ['email'],
					code: z.ZodIssueCode.custom,
					message: 'A user already exists with this email',
				})
			}
		}),
		async: true, // Important: enable async validation
	})

	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// ...
}

Field Components

Epic Stack provides pre-built field components:

Basic Field:

import { Field, ErrorList } from '#app/components/forms.tsx'
import { getInputProps } from '@conform-to/react'

<Field
	labelProps={{
		htmlFor: fields.email.id,
		children: 'Email',
	}}
	inputProps={{
		...getInputProps(fields.email, { type: 'email' }),
		autoFocus: true,
		autoComplete: 'email',
	}}
	errors={fields.email.errors}
/>

TextareaField:

import { TextareaField } from '#app/components/forms.tsx'
import { getTextareaProps } from '@conform-to/react'

<TextareaField
	labelProps={{
		htmlFor: fields.content.id,
		children: 'Content',
	}}
	textareaProps={{
		...getTextareaProps(fields.content),
		rows: 10,
	}}
	errors={fields.content.errors}
/>

CheckboxField:

import { CheckboxField } from '#app/components/forms.tsx'
import { getInputProps } from '@conform-to/react'

<CheckboxField
	labelProps={{
		htmlFor: fields.remember.id,
		children: 'Remember me',
	}}
	buttonProps={getInputProps(fields.remember, { type: 'checkbox' })}
	errors={fields.remember.errors}
/>

OTPField:

import { OTPField } from '#app/components/forms.tsx'

<OTPField
	labelProps={{
		htmlFor: fields.code.id,
		children: 'Verification Code',
	}}
	inputProps={{
		...getInputProps(fields.code),
		maxLength: 6,
	}}
	errors={fields.code.errors}
/>

Error Handling

Display field errors:

<Field
	// ... props
	errors={fields.email.errors} // Errores específicos del campo
/>

Display form errors:

import { ErrorList } from '#app/components/forms.tsx'

<ErrorList errors={form.errors} id={form.errorId} />

Error structure:

fields.fieldName.errors - Errors for a specific field
form.errors - General form errors (like formErrors)

Honeypot Fields

Epic Stack includes spam protection with honeypot fields.

In the form:

import { HoneypotInputs } from 'remix-utils/honeypot/react'

<Form method="POST" {...getFormProps(form)}>
	<HoneypotInputs /> {/* Always include in public forms */}
	{/* Rest of fields */}
</Form>

In the action:

import { checkHoneypot } from '#app/utils/honeypot.server.ts'

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	await checkHoneypot(formData) // Throws error if spam

	// ... rest of code
}

File Uploads

For forms with file uploads, use encType="multipart/form-data".

Schema for files:

const MAX_UPLOAD_SIZE = 1024 * 1024 * 3 // 3MB

const ImageFieldsetSchema = z.object({
	id: z.string().optional(),
	file: z
		.instanceof(File)
		.optional()
		.refine((file) => {
			return !file || file.size <= MAX_UPLOAD_SIZE
		}, 'File must be less than 3MB'),
	altText: z.string().optional(),
})

const NoteEditorSchema = z.object({
	title: z.string().min(1).max(100),
	content: z.string().min(1).max(10000),
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

Form with file upload:

<Form
	method="POST"
	encType="multipart/form-data"
	{...getFormProps(form)}
>
	{/* Fields */}
</Form>

Process files in action:

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	const submission = await parseWithZod(formData, {
		schema: NoteEditorSchema,
	})

	if (submission.status !== 'success') {
		return data({ result: submission.reply() }, { status: 400 })
	}

	const { images } = submission.value

	// Process files
	for (const image of images ?? []) {
		if (image.file) {
			// Upload file, save to storage, etc.
		}
	}

	// ...
}

Fieldsets y Arrays

For forms with repetitive fields (like multiple images):

Schema:

const ImageFieldsetSchema = z.object({
	id: z.string().optional(),
	file: z.instanceof(File).optional(),
	altText: z.string().optional(),
})

const FormSchema = z.object({
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

In the component:

import { FormProvider, getFieldsetProps } from '@conform-to/react'

const [form, fields] = useForm({
	// ...
	defaultValue: {
		images: note?.images ?? [{}],
	},
})

const imageList = fields.images.getFieldList()

return (
	<FormProvider context={form.context}>
		<Form method="POST" {...getFormProps(form)}>
			{imageList.map((image, index) => {
				const imageFieldset = getFieldsetProps(fields.images[index])
				return (
					<fieldset key={image.key} {...imageFieldset}>
						<input
							{...getInputProps(fields.images[index].file, { type: 'file' })}
						/>
						<input
							{...getInputProps(fields.images[index].altText, { type: 'text' })}
							placeholder="Alt text"
						/>
					</fieldset>
				)
			})}

			<button
				type="button"
				onClick={() => fields.images.append()}
			>
				Add Image
			</button>
		</Form>
	</FormProvider>
)

StatusButton

Use StatusButton to display submission status:

import { StatusButton } from '#app/components/ui/status-button.tsx'
import { useIsPending } from '#app/utils/misc.tsx'

const isPending = useIsPending()

<StatusButton
	className="w-full"
	status={isPending ? 'pending' : (form.status ?? 'idle')}
	type="submit"
	disabled={isPending}
>
	Submit
</StatusButton>

Progressive Enhancement

Forms work without JavaScript thanks to Conform:

Native HTML5 validation
Server-side validation
Enhancements with JavaScript when available

You don't need to do anything special - Conform handles this automatically.

Reusable Schema Validation

Create reusable schemas in app/utils/user-validation.ts:

// app/utils/user-validation.ts
import { z } from 'zod'

export const EmailSchema = z
	.string({ required_error: 'Email is required' })
	.email({ message: 'Email is invalid' })
	.min(3, { message: 'Email is too short' })
	.max(100, { message: 'Email is too long' })
	.transform((value) => value.toLowerCase())

export const PasswordSchema = z
	.string({ required_error: 'Password is required' })
	.min(6, { message: 'Password is too short' })
	.refine((val) => new TextEncoder().encode(val).length <= 72, {
		message: 'Password is too long',
	})

export const PasswordAndConfirmPasswordSchema = z
	.object({ password: PasswordSchema, confirmPassword: PasswordSchema })
	.superRefine(({ confirmPassword, password }, ctx) => {
		if (confirmPassword !== password) {
			ctx.addIssue({
				path: ['confirmPassword'],
				code: 'custom',
				message: 'The passwords must match',
			})
		}
	})

Use in forms:

import {
	EmailSchema,
	PasswordAndConfirmPasswordSchema,
} from '#app/utils/user-validation.ts'

const SignupSchema = z
	.object({
		email: EmailSchema,
		username: UsernameSchema,
	})
	.and(PasswordAndConfirmPasswordSchema)

Common examples

Example 1: Simple login form

// app/routes/_auth/login.tsx
import { getFormProps, getInputProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { z } from 'zod'
import { Field, ErrorList } from '#app/components/forms.tsx'
import { StatusButton } from '#app/components/ui/status-button.tsx'

const LoginSchema = z.object({
	email: z.string().email(),
	password: z.string().min(1),
})

export default function LoginRoute({ actionData }: Route.ComponentProps) {
	const isPending = useIsPending()

	const [form, fields] = useForm({
		id: 'login-form',
		constraint: getZodConstraint(LoginSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: LoginSchema })
		},
		shouldRevalidate: 'onBlur',
	})

	return (
		<Form method="POST" {...getFormProps(form)}>
			<Field
				labelProps={{ htmlFor: fields.email.id, children: 'Email' }}
				inputProps={{
					...getInputProps(fields.email, { type: 'email' }),
					autoFocus: true,
					autoComplete: 'email',
				}}
				errors={fields.email.errors}
			/>
			<Field
				labelProps={{ htmlFor: fields.password.id, children: 'Password' }}
				inputProps={{
					...getInputProps(fields.password, { type: 'password' }),
					autoComplete: 'current-password',
				}}
				errors={fields.password.errors}
			/>
			<ErrorList errors={form.errors} id={form.errorId} />
			<StatusButton
				status={isPending ? 'pending' : (form.status ?? 'idle')}
				type="submit"
			>
				Login
			</StatusButton>
		</Form>
	)
}

Example 2: Form with async validation

// app/routes/_auth/signup.tsx
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()
	await checkHoneypot(formData)

	const submission = await parseWithZod(formData, {
		schema: SignupSchema.superRefine(async (data, ctx) => {
			const existingUser = await prisma.user.findUnique({
				where: { email: data.email },
				select: { id: true },
			})
			if (existingUser) {
				ctx.addIssue({
					path: ['email'],
					code: z.ZodIssueCode.custom,
					message: 'A user already exists with this email',
				})
			}
		}),
		async: true,
	})

	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// Procesar signup...
}

Example 3: Form with file upload

// app/routes/users/$username/notes/new.tsx
const NoteEditorSchema = z.object({
	title: z.string().min(1).max(100),
	content: z.string().min(1).max(10000),
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

export default function NewNoteRoute({ actionData }: Route.ComponentProps) {
	const [form, fields] = useForm({
		id: 'note-editor',
		constraint: getZodConstraint(NoteEditorSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: NoteEditorSchema })
		},
		defaultValue: {
			images: [{}],
		},
		shouldRevalidate: 'onBlur',
	})

	const imageList = fields.images.getFieldList()

	return (
		<FormProvider context={form.context}>
			<Form
				method="POST"
				encType="multipart/form-data"
				{...getFormProps(form)}
			>
				<Field
					labelProps={{ children: 'Title' }}
					inputProps={{
						autoFocus: true,
						...getInputProps(fields.title, { type: 'text' }),
					}}
					errors={fields.title.errors}
				/>
				<TextareaField
					labelProps={{ children: 'Content' }}
					textareaProps={{
						...getTextareaProps(fields.content),
						rows: 10,
					}}
					errors={fields.content.errors}
				/>

				{imageList.map((image, index) => {
					const imageFieldset = getFieldsetProps(fields.images[index])
					return (
						<fieldset key={image.key} {...imageFieldset}>
							<input
								{...getInputProps(fields.images[index].file, { type: 'file' })}
								accept="image/*"
							/>
							<input
								{...getInputProps(fields.images[index].altText, { type: 'text' })}
								placeholder="Alt text"
							/>
						</fieldset>
					)
				})}

				<button
					type="button"
					onClick={() => fields.images.append()}
					disabled={imageList.length >= 5}
				>
					Add Image
				</button>

				<ErrorList errors={form.errors} id={form.errorId} />
				<StatusButton type="submit">Create Note</StatusButton>
			</Form>
		</FormProvider>
	)
}

Common mistakes to avoid

❌ Implicit validation: Always use explicit Zod schemas with clear error messages, not hidden validation logic
❌ Delayed validation: Validate input immediately and fail fast - don't wait until the end of the function
❌ Generic error messages: Use specific, helpful error messages that tell users exactly what's wrong
❌ Forgetting async: true in async validation: Always include async: true when using superRefine with async
❌ Not including HoneypotInputs in public forms: Always include honeypot in forms accessible without authentication
❌ Forgetting encType="multipart/form-data": Required for file uploads
❌ Not validating file sizes: Always validate size in the schema
❌ Not using getZodConstraint: Required for native HTML5 validation
❌ Forgetting lastResult in useForm: Required to display server errors
❌ Not using shouldRevalidate: 'onBlur': Improves UX by validating on field blur
❌ Not using pre-built field components: Field, TextareaField, etc. already handle accessibility and errors

References

Conform Documentation
Zod Documentation
Epic Web Principles
app/components/forms.tsx - Field components
app/routes/_auth/signup.tsx - Complete signup example
app/routes/_auth/onboarding/index.tsx - Complex form example
app/routes/users/$username/notes/+shared/note-editor.tsx - File uploads example
app/utils/user-validation.ts - Reusable schemas
docs/decisions/033-honeypot.md - Honeypot documentation

Adoption

epicweb-dev/epic-forms

$ install --global

Security Scan Results

SKILL.md

Epic Stack: Forms

When to use this skill

Patterns and conventions

Validation Philosophy

Basic setup with Conform

Integration with Zod

Async validation

Field Components

Error Handling

Honeypot Fields

File Uploads

Fieldsets y Arrays

StatusButton

Progressive Enhancement

Reusable Schema Validation

Common examples

Example 1: Simple login form

Example 2: Form with async validation

Example 3: Form with file upload

Common mistakes to avoid

References

Related Skills

epicweb-dev/epic-ui-guidelines

epicweb-dev/epic-testing

epicweb-dev/epic-security

epicweb-dev/epic-routing

epicweb-dev/epic-forms

$ install --global

Security Scan Results

SKILL.md

Epic Stack: Forms

When to use this skill

Patterns and conventions

Validation Philosophy

Basic setup with Conform

Integration with Zod

Async validation

Field Components

Error Handling

Honeypot Fields

File Uploads

Fieldsets y Arrays

StatusButton

Progressive Enhancement

Reusable Schema Validation

Common examples

Example 1: Simple login form

Example 2: Form with async validation

Example 3: Form with file upload

Common mistakes to avoid

References

Related Skills

epicweb-dev/epic-ui-guidelines

epicweb-dev/epic-testing

epicweb-dev/epic-security

epicweb-dev/epic-routing