Generate CUID2

A CUID2-shaped random identifier of 4–32 base36 characters that always starts with a lowercase letter — no plaintext timestamp or generator fingerprint, designed to be hard to guess and safe to expose in URLs.

Browser extensions can read all data on this page. Use a private/incognito window with extensions disabled.

Generated · 0 IDs

Options

Quantity

Length

CUID2 supports 4–32 characters.

All zeros, for testing and defaults

This ID

Length 24 chars

Bits ~124 (1 × 4.7 bits + 23 × 5.2 bits)

Collision risk negligible

Features

URL-safe

Collision

1% collision chance after ≈ 653,830,260,138,272,015 IDs

Random part 124 random bits

Counted together Same length

This implementation samples the characters directly from cryptographic randomness. There is no timestamp or fingerprint, so the estimate applies to all CUID2s generated with the selected length.

Validate and parse CUID2

Paste an ID

Paste CUID2

About CUID2

Use when: you want CUID-style strong collision resistance without leaking the creation time or a generator fingerprint in the ID.

Avoid when: you need lexicographic time ordering — pick UUID v7, ULID, or KSUID.

How it is generated

This browser implementation keeps the CUID2 public shape — no readable timestamp, no generator fingerprint, and a lowercase letter first so the ID is never numeric. It uses direct CSPRNG sampling rather than the reference implementation’s hash mixer.

The length is configurable (4–32 chars, default 24). The first character is a uniform lowercase letter; the rest comes from base36. Every character after the first is an independent uniform draw, so collision resistance scales at about 5.17 bits per body character.

01 Pick a random lowercase letter (a–z) using rejection sampling from crypto.getRandomValues.
02 For each remaining position (length − 1 chars), pull a byte from crypto.getRandomValues and use rejection sampling to map it into the 36-char base36 alphabet.
03 Concatenate to get the final string. Default length 24 → ~124 bits of entropy.

t 4jxnryav56ay32itmp68qiw    (default 24 chars; visual space only)
│ └──────────┬──────────┘
│            └── length-1 base36 chars (uniform, crypto-quality)
└─────────────── leading letter (a-z), so the ID never starts with a digit

Alphabet:
  first char  a-z              (so the ID is never numeric)
  rest        0-9 a-z          (lowercase base36)

Entropy: log2(26) + (length - 1) × log2(36); default 24 ≈ ~124 bits.

All of this runs in your browser. Random bytes come from crypto.getRandomValues, timestamps come from the system clock, and nothing about the generated ID leaves the tab.