Validation means checking that user input meets the rules before doing anything with it. In the signup form, those rules are things like "email must be a valid email address" and "password must be at least 8 characters."
name=Alice&email=alice@example.com&password=secret123.{ name: "Alice", email: "alice@example.com", password: "secret123" }.A validation schema is a description of what valid input looks like, written in code. In this project, they're written with Zod, a TypeScript library. A Zod schema for signup might say: name is a string, email is a valid email, password is at least 8 characters. If any rule fails, Zod returns a structured error explaining what went wrong.
This is different from a database schema, which defines the structure of your tables and columns. A database schema says "the users table has an email column." A validation schema says "the email the user just typed must be a valid email address." One describes storage, the other checks input.
Client-side checks can always be bypassed — anyone can send a request directly to your server without using the form. You can never rely on client validation for security. The server is the only place you can truly enforce rules.
On top of that, client-side validation is limited to primitive type checks. Rules like "this email is already taken" or "this token has expired" can only be checked on the server, where you have access to the database.
You can do both client and server if you want — but modern browsers already support basic checks natively through HTML attributes like required, type="email", and minlength. That covers the simple stuff without writing any JavaScript.
That's why Gista.js focuses on server-only validation. The round trip is fast enough that you rarely need client-side checks on top of it.