NanoID Generator
GeneratorGenerate secure, URL-safe NanoIDs with custom alphabet and length. Smaller than UUIDs, more entropy per character. Runs entirely in your browser.
| Possible unique IDs | 8.51 × 10^37 |
| IDs for 1% collision chance | 1.31 × 10^18 |
| At 1,000 IDs/sec | ~41437K years |
| At 1,000,000 IDs/sec | ~41K years |
| At 1,000,000,000 IDs/sec | ~41 years |
NanoID is a tiny, secure, URL-friendly unique ID generator created by Andrey Sitnik in 2017. Its default format — 21 URL-safe characters — provides 126 bits of randomness, comparable to UUID v4, while being 31% shorter (21 chars vs 36 chars including hyphens).
Unlike UUID v4, which is fixed at 128 bits in a specific hex+hyphen format, NanoID lets you choose your alphabet and size. This flexibility lets you tune the ID for readability, URL safety, or extreme compactness (e.g. a 10-char hex ID for short URLs). Every preset generates IDs that are safe to embed in URLs without percent-encoding.
All randomness comes from the Web Crypto API (crypto.getRandomValues), so NanoIDs are cryptographically secure. The algorithm uses a mask + rejection-sampling approach to avoid modulo bias, ensuring uniform distribution across the alphabet regardless of its size.
| Format | Chars | Entropy | URL-safe |
|---|---|---|---|
| NanoID (default) | 21 | 126 bits | ✓ Yes |
| UUID v4 | 36 | 122 bits | ✗ No |
| UUID v7 | 36 | 74 bits random | ✗ No |
| ULID | 26 | 80 bits random | ✓ Yes |
About this tool
About NanoID Generator
NanoID is a compact, secure, URL-friendly identifier format created by Andrey Sitnik. In 21 URL-safe characters it delivers 126 bits of entropy — matching UUID v4's security while being 31% shorter. Its key innovation is configurability: you can choose any alphabet and any length, letting you tune IDs for readability, compactness, or domain-specific requirements without sacrificing cryptographic quality.
The generator uses crypto.getRandomValues for all randomness, combined with a mask + rejection-sampling algorithm that eliminates modulo bias and guarantees uniform distribution across any custom alphabet. Five built-in presets cover the most common use cases: URL-safe (64 chars, default), numbers-only (10 chars), lowercase alphanumeric (36 chars), uppercase alphanumeric (36 chars), and hex (16 chars). A custom mode lets you type any alphabet from 2 to 256 unique characters.
NanoID is used across the JavaScript ecosystem as a drop-in replacement for UUID v4 in cases where ID length matters — public-facing URLs, client-side state keys, cache keys, document IDs in NoSQL stores (MongoDB, Firestore), message correlation IDs, and any context where you want short, unique, opaque identifiers that are safe to expose in URLs without percent-encoding.
Compared to UUID v4, NanoID is shorter (21 vs 36 chars), naturally URL-safe (no need to strip hyphens or encode), and fully configurable. Compared to ULID, NanoID has no timestamp leak — the ID is fully opaque. Compared to random strings generated with Math.random(), NanoID uses CSPRNG, making it safe for security-sensitive identifiers. The built-in collision estimator lets you verify the safety margin for any alphabet and size combination.
Key Features
- 21-character URL-safe default (126 bits of entropy)
- Custom alphabet: URL-safe, numbers, lowercase, uppercase, hex, or any set
- Custom length: 8 to 256 characters
- Bias-free: mask + rejection sampling for uniform distribution
- Cryptographically secure via Web Crypto API
- Bulk generation: up to 1000 IDs at once
- Live collision probability estimator
- One-click copy per ID and copy-all
- 100% browser-based, no server calls
FAQ
NanoID Generator — Frequently Asked Questions
Is NanoID secure?
Yes. All randomness comes from crypto.getRandomValues (the Web Crypto API), which is a cryptographically secure pseudo-random number generator available in all modern browsers. The mask + rejection-sampling algorithm ensures each character in the output is uniformly distributed across the alphabet with no modulo bias. This makes NanoIDs suitable for security-sensitive identifiers like session tokens, API keys, and document IDs — as long as the alphabet and length provide sufficient entropy for your threat model.
What length should I use?
The default 21 characters with the URL-safe alphabet (64 chars) gives 126 bits of entropy — essentially the same as UUID v4. For most applications this is more than enough. If you need shorter IDs (e.g. 10-char short URLs), use the collision estimator: it shows how many IDs you'd need to generate before a 1% collision probability at your chosen settings. As a rule of thumb, stay above 100 bits of entropy (at least 17 chars with the URL-safe alphabet) for any application generating millions of IDs.
Can I use a custom alphabet?
Yes. Switch the preset to 'Custom' and type any characters you want. The minimum is 2 unique characters (though that would be very inefficient). Common custom alphabets include: numeric-only for human-readable short codes (e.g. 6-digit OTPs), uppercase-only to avoid visual ambiguity (no l/1 or O/0 confusion), or domain-specific sets like Crockford Base32. The duplicate characters are removed automatically — only unique characters count toward the alphabet size.
NanoID vs UUID v4 — which should I use?
Both are cryptographically secure and practically collision-proof. Choose NanoID when: IDs appear in URLs (URL-safe by default, no percent-encoding needed), you want shorter IDs, or you need a custom alphabet. Choose UUID v4 when: your database column is typed UUID (PostgreSQL, MySQL UUID type), you need RFC-compliant identifiers, or your team/library already assumes hyphenated hex format. In JavaScript, NanoID is often preferred for application-layer IDs while UUID v4 is used for database primary keys.
Why does the algorithm use mask + rejection sampling?
When mapping random bytes to an alphabet whose size is not a power of 2, a naive modulo operation (byte % alphabetLength) introduces modulo bias — characters at the start of the alphabet appear slightly more often than others. The mask + rejection sampling approach fixes this: it masks each byte to the nearest power of 2 above the alphabet length, then discards any value ≥ alphabetLength and retries. This guarantees each character in the output has exactly equal probability, which matters for both security and statistical uniformity.
What is the collision probability?
The collision estimator uses the birthday paradox formula: the number of IDs before a 1% collision chance is approximately √(2 × A^L × ln(1/(1−0.01))), where A is the alphabet size and L is the ID length. For the default 21-char URL-safe NanoID (64-char alphabet), you'd need ~2.7 × 10^17 IDs before hitting 1% collision risk — at 1 million IDs per second, that's over 8 billion years. In practice, NanoID collisions are not a concern for any realistic workload.
Tips
- Use the URL-safe preset for IDs that appear in URLs — no percent-encoding needed
- Check the collision estimator whenever you change the alphabet or length — it updates live
- For human-readable short codes (OTPs, invite codes), use numbers-only or uppercase preset with length 6–8
- Copy All outputs one ID per line, ready to paste into a SQL script, CSV, or config file