Nano ID Generator
Generate short, URL-safe, cryptographically random IDs with configurable length and alphabet
Configuration
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-Nano ID vs UUID
| Feature | Nano ID (21) | UUID v4 |
|---|---|---|
| Length | 21 chars | 36 chars |
| Entropy | 126 bits | 122 bits |
| URL-safe | Yes (default) | With encoding |
| Customizable | Yes | No |
| Sortable | No | No |
You need a short, URL-safe unique identifier for a user-facing URL slug, a session token, or a shareable link. UUID v4 is 36 characters with hyphens — too long and contains characters that need encoding in some contexts. You want something shorter, still cryptographically random, and optionally constrained to a specific character set. That is what Nano ID is designed for.
What Is Nano ID?
Nano ID is a tiny, URL-safe, cryptographically random ID generator. Created by Andrey Sitnik (the author of PostCSS and Autoprefixer) and first published in 2017, it became one of the most downloaded npm packages — with 70 million+ weekly downloads.
A typical Nano ID with default settings looks like: V1StGXR8_Z5jdHi6B-myT
The default length is 21 characters using a URL-safe alphabet of 64 characters (A-Z, a-z, 0-9, -, _). This gives 126 bits of entropy — slightly more than UUID v4’s 122 bits — in a 21-character string versus UUID’s 36 characters.
How Nano ID Differs from UUID
UUID v4 generates a fixed 128-bit random value encoded as 32 hex characters with 4 hyphens. Nano ID is more flexible:
- Configurable length: 1 to 256 characters
- Configurable alphabet: any set of characters
- Shorter by default: 21 chars vs 36 for the same entropy level
- No hyphens: works natively in URLs, CSS class names, HTML IDs
- No version bits: all characters contribute entropy
Alphabet Options
This generator offers several preset alphabets:
- URL-safe (default):
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-(64 chars). Safe for URLs, filenames, and CSS without encoding. - Letters + Numbers:
A-Z,a-z,0-9(62 chars). Works everywhere including XML attributes. - Lowercase + Numbers:
a-z,0-9(36 chars). Good for compact identifiers in case-insensitive contexts. - Uppercase + Numbers:
A-Z,0-9(36 chars). Common in voucher codes and license keys. - Numbers Only:
0-9(10 chars). Useful for numeric codes, but requires much longer IDs for safety. - Hex:
0-9a-f(16 chars). Compatible with systems expecting hexadecimal input. - Custom: define your own alphabet.
How Entropy and Length Interact
The collision safety indicator in this tool estimates how many IDs you can generate before a 1% collision probability is reached. This is calculated from:
safe_count ≈ sqrt(2 × alphabet_size^length × 0.01)Reducing the alphabet size dramatically increases the required length for the same safety level:
| Alphabet Size | Length for 126-bit Entropy |
|---|---|
| 64 chars | 21 |
| 36 chars | 25 |
| 16 chars (hex) | 32 |
| 10 chars | 38 |
This is why the default 21-character URL-safe alphabet is the recommended choice — it achieves UUID-level entropy in the shortest string.
Generating Nano IDs in Code
// npm install nanoid
import { nanoid } from 'nanoid';
// Default: 21 chars, URL-safe alphabet
const id = nanoid();
// "V1StGXR8_Z5jdHi6B-myT"
// Custom length
const shortId = nanoid(10);
// "IRFa-VaY2b"
// Custom alphabet — use customAlphabet()
import { customAlphabet } from 'nanoid';
const numbersOnly = customAlphabet('1234567890', 12);
const id = numbersOnly();
// "243814714324"
// URL-safe numbers+letters only
const alphanumeric = customAlphabet(
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',
21
);# pip install nanoid
from nanoid import generate
# Default
id = generate()
# "V1StGXR8_Z5jdHi6B-myT"
# Custom size
id = generate(size=10)
# Custom alphabet
id = generate('abcdefghijklmnopqrstuvwxyz', 8)// go get github.com/matoous/go-nanoid/v2
import gonanoid "github.com/matoous/go-nanoid/v2"
// Default
id, _ := gonanoid.New()
// Custom size
id, _ := gonanoid.New(10)
// Custom alphabet
id, _ := gonanoid.Generate("abc123", 21)Why Crypto.getRandomValues() Matters
This tool — and the official Nano ID library — uses crypto.getRandomValues() rather than Math.random(). The difference matters for security:
Math.random() uses a deterministic pseudorandom number generator (PRNG) with a small state. Given enough output, an attacker can reconstruct the state and predict future values. This makes Math.random() unsuitable for generating tokens, session IDs, or any value where unpredictability is important.
crypto.getRandomValues() uses the browser’s cryptographically secure random number generator (CSPRNG), which draws entropy from OS-level sources (hardware events, interrupt timing). Its output cannot be predicted even with full knowledge of previous outputs.
This tool also uses rejection sampling to avoid modulo bias — a subtle bug where naively applying randomByte % alphabetLength over-represents certain characters when the alphabet size does not evenly divide 256. The correct approach masks bytes to the smallest power-of-two range that covers the alphabet, then rejects values outside the valid range.
Use Cases
URL slugs: nanoid(8) generates an 8-character URL-safe ID — short enough to type, long enough to avoid collisions in apps with millions of records.
Short links: URL shorteners like Bitly use similar IDs. With 21 chars from a 64-char alphabet, you can generate IDs for centuries before collision risk becomes relevant.
Session tokens: With the default alphabet and length, Nano ID provides 126 bits of entropy — exceeding the OWASP recommendation of 128 bits for session identifiers.
CSS class names and HTML IDs: Nano IDs with the letters-only alphabet are valid CSS identifiers (they start with a letter, not a digit). Useful for generating unique IDs for dynamically created elements.
Database record identifiers: When you need a short primary key visible in URLs — user profiles, posts, documents — Nano ID at length 12–16 provides sufficient collision resistance for most applications.
Privacy
All ID generation runs entirely in your browser. No inputs, no generated IDs, and no configuration are sent to any server. Your identifiers remain private.
Frequently Asked Questions
Is Nano ID secure enough for session tokens?
Yes. With the default settings (21 chars, 64-char alphabet), Nano ID provides 126 bits of entropy using crypto.getRandomValues(). This exceeds OWASP’s minimum recommendation for session IDs and is suitable for most security-sensitive applications.
What length should I use? The default 21 characters provides UUID-equivalent entropy. For URL slugs where collision probability is low (< 1 million records), 10–12 characters is often sufficient. For security tokens (session IDs, API keys), stay at 21+ characters.
Can I make a Nano ID that starts with a letter? Yes — use the Letters + Numbers or custom alphabet and ensure the first character is a letter. You can generate the first character separately with a letters-only alphabet and append the rest with a full alphanumeric alphabet.
Does Nano ID have timestamps like ULID? No. Nano ID is purely random — there is no embedded timestamp and IDs do not sort by creation time. Use ULID or UUID v7 if you need time-ordered identifiers.