diff --git a/Cargo.lock b/Cargo.lock
index 27c103e..a4cc876 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2083,6 +2083,28 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "proc-macro-error-attr2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "proc-macro-error2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
+dependencies = [
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.89"
@@ -2614,6 +2636,7 @@ dependencies = [
  "tracing",
  "tracing-subscriber",
  "uuid",
+ "validator",
 ]
 
 [[package]]
@@ -3187,6 +3210,36 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "validator"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43fb22e1a008ece370ce08a3e9e4447a910e92621bb49b85d6e48a45397e7cfa"
+dependencies = [
+ "idna 1.0.3",
+ "once_cell",
+ "regex",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "url",
+ "validator_derive",
+]
+
+[[package]]
+name = "validator_derive"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7df16e474ef958526d1205f6dda359fdfab79d9aa6d54bafcb92dcd07673dca"
+dependencies = [
+ "darling",
+ "once_cell",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "valuable"
 version = "0.1.0"
diff --git a/Cargo.toml b/Cargo.toml
index 9b7abf5..3a71013 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -34,3 +34,4 @@ regex = "1.11.1"
 lettre = { version = "0.11.12", features = ["tokio1", "serde", "tracing", "tokio1-native-tls"] }
 clap = { version = "4.5.31", features = ["derive"] }
 diesel_migrations = { version = "2.2.0", features = ["postgres"] }
+validator = { version = "0.20.0", features = ["derive"] }
diff --git a/src/app_error.rs b/src/app_error.rs
index c9f1d93..bed2090 100644
--- a/src/app_error.rs
+++ b/src/app_error.rs
@@ -2,6 +2,7 @@ use std::fmt::{self, Display};
 
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Redirect, Response};
+use validator::ValidationErrors;
 
 #[derive(Debug)]
 pub struct AuthRedirectInfo {
@@ -24,6 +25,12 @@ impl AppError {
     pub fn auth_redirect_from_base_path(base_path: String) -> Self {
         Self::AuthRedirect(AuthRedirectInfo { base_path })
     }
+
+    pub fn from_validation_errors(errs: ValidationErrors) -> Self {
+        Self::BadRequestError(
+            serde_json::to_string(&errs).unwrap_or("validation error".to_string()),
+        )
+    }
 }
 
 // Tell axum how to convert `AppError` into a response.
diff --git a/src/v0_router.rs b/src/v0_router.rs
index fe450e4..940d525 100644
--- a/src/v0_router.rs
+++ b/src/v0_router.rs
@@ -1,3 +1,4 @@
+use std::sync::LazyLock;
 use anyhow::Context;
 use axum::{
     extract::Query,
@@ -7,9 +8,11 @@ use axum::{
 };
 use chrono::TimeDelta;
 use diesel::{dsl::insert_into, prelude::*, update};
+use regex::Regex;
 use serde::Deserialize;
 use serde_json::json;
 use uuid::Uuid;
+use validator::Validate;
 
 use crate::{
     api_keys::ApiKey,
@@ -24,22 +27,39 @@ use crate::{
 const TEAM_GOVERNOR_DEFAULT_WINDOW_SIZE_SEC: i64 = 300;
 const TEAM_GOVERNOR_DEFAULT_MAX_COUNT: i32 = 50;
 
+static RE_PROJECT_NAME: LazyLock<Regex> =
+    LazyLock::new(|| Regex::new(r"^[a-z0-9_-]{1,100}$").unwrap());
+
 pub fn new_router(state: AppState) -> Router<AppState> {
     Router::new().route("/say", get(say_get)).with_state(state)
 }
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Validate)]
 struct SayQuery {
+    #[serde(alias = "k")]
     key: Uuid,
+    #[serde(alias = "p")]
+    #[validate(regex(
+        path = *RE_PROJECT_NAME,
+        message = "may be no more than 100 characters and contain only alphanumerics, -, and _",
+    ))]
     project: String,
+    #[serde(alias = "m")]
+    #[validate(length(
+        min = 1,
+        max = 2048,
+        message = "message must be non-empty and no larger than 2KiB"
+    ))]
     message: String,
 }
 
 async fn say_get(
     DbConn(db_conn): DbConn,
-    Query(query): Query<SayQuery>,
+    Query(mut query): Query<SayQuery>,
 ) -> Result<impl IntoResponse, AppError> {
-    // TODO: do some validation of message contents
+    query.project = query.project.to_lowercase().replace(" ", "_");
+    query.validate().map_err(AppError::from_validation_errors)?;
+
     let api_key = {
         let query_key = query.key.clone();
         db_conn
@@ -57,7 +77,7 @@ async fn say_get(
     };
 
     let project = {
-        let project_name = query.project.to_lowercase();
+        let project_name = query.project.clone();
         db_conn
             .interact::<_, Result<Project, AppError>>(move |conn| {
                 conn.transaction(move |conn| {