diff --git a/packages/stream-metadata/src/routes/profileImage.ts b/packages/stream-metadata/src/routes/profileImage.ts
index b589439b5..8537f02d4 100644
--- a/packages/stream-metadata/src/routes/profileImage.ts
+++ b/packages/stream-metadata/src/routes/profileImage.ts
@@ -1,23 +1,29 @@
 import { FastifyReply, FastifyRequest } from 'fastify'
 import { ChunkedMedia } from '@river-build/proto'
 import { StreamPrefix, StreamStateView, makeStreamId } from '@river-build/sdk'
+import { z } from 'zod'
 
 import { StreamIdHex } from '../types'
 import { getMediaStreamContent, getStream } from '../riverStreamRpcClient'
 import { isBytes32String, isValidEthereumAddress } from '../validators'
 import { getMediaEncryption } from '../media-encryption'
 
+const paramsSchema = z.object({
+	userId: z.string().min(1, 'userId parameter is required'),
+})
+
 export async function fetchUserProfileImage(request: FastifyRequest, reply: FastifyReply) {
 	const logger = request.log.child({ name: fetchUserProfileImage.name })
-	const { userId } = request.params as { userId?: string }
+	const parseResult = paramsSchema.safeParse(request.params)
 
-	if (!userId) {
-		logger.info('userId parameter is required')
-		return reply
-			.code(400)
-			.send({ error: 'Bad Request', message: 'userId parameter is required' })
+	if (!parseResult.success) {
+		const errorMessage = parseResult.error.errors[0]?.message || 'Invalid parameters'
+		logger.info(errorMessage)
+		return reply.code(400).send({ error: 'Bad Request', message: errorMessage })
 	}
 
+	const { userId } = parseResult.data
+
 	if (!isValidEthereumAddress(userId)) {
 		logger.info({ userId }, 'Invalid userId')
 		return reply.code(400).send({ error: 'Bad Request', message: 'Invalid userId' })
diff --git a/packages/stream-metadata/src/routes/userBio.ts b/packages/stream-metadata/src/routes/userBio.ts
index e07b5d7f1..78ab28b1f 100644
--- a/packages/stream-metadata/src/routes/userBio.ts
+++ b/packages/stream-metadata/src/routes/userBio.ts
@@ -1,20 +1,26 @@
 import { FastifyReply, FastifyRequest } from 'fastify'
 import { StreamPrefix, StreamStateView, makeStreamId } from '@river-build/sdk'
+import { z } from 'zod'
 
 import { getStream } from '../riverStreamRpcClient'
 import { isValidEthereumAddress } from '../validators'
 
+const paramsSchema = z.object({
+	userId: z.string().min(1, 'userId parameter is required'),
+})
+
 export async function fetchUserBio(request: FastifyRequest, reply: FastifyReply) {
 	const logger = request.log.child({ name: fetchUserBio.name })
-	const { userId } = request.params as { userId?: string }
+	const parseResult = paramsSchema.safeParse(request.params)
 
-	if (!userId) {
-		logger.info('userId parameter is required')
-		return reply
-			.code(400)
-			.send({ error: 'Bad Request', message: 'userId parameter is required' })
+	if (!parseResult.success) {
+		const errorMessage = parseResult.error.errors[0]?.message || 'Invalid parameters'
+		logger.info(errorMessage)
+		return reply.code(400).send({ error: 'Bad Request', message: errorMessage })
 	}
 
+	const { userId } = parseResult.data
+
 	if (!isValidEthereumAddress(userId)) {
 		logger.info({ userId }, 'Invalid userId')
 		return reply.code(400).send({ error: 'Bad Request', message: 'Invalid userId' })