Should we validate path parameters in API?

I have an API /api/examples/:id and id is stored in database as Integer. I also return 400 for validation error and 404 for resource not found.

Should I need to validate id data type in this API ? (Should I return 400 or 404 when client pass id param as String like /api/examples/abc ?).

I suppose you make a database query with it. So you should definetely check the input that no SQLInjection happens when forwarding the API parameter into your SQL-Statement.

You can do the check yourself by checking that id is an integer. Or you can use the mysql Driver capabilities to use parameters with ? so it checks that the statement is valid and not breaking the query.

In fact you should do this anyhow.

If you just forward the id as a unsafe-string and do not use the correct sql capabilities but just append strings to a query and execute... you might be targetd by SQLInjection attacks. So yeah, either you should check the input or use the correct mysql driver functions to be safe here!