cuidversionv2

What is a CUID2

CUID2 (Collision-resistant Unique Identifier, version 2) generates secure, collision-resistant ids optimized for horizontal scaling and performance. The output is a string of lowercase letters and digits (base36), 24 characters by default, always starting with a letter so it is safe to use in HTML ids, CSS selectors, and URLs.

Why it replaced CUID

The original CUID was sortable and monotonic, and exposed its structure (timestamp, counter) in plaintext. That leaked information and made ids partially predictable. CUID2 was redesigned after a security review to remove these weaknesses by hashing all of its inputs.

How it is generated

It combines several entropy sources — a random initial letter, the current timestamp, a session counter, a host fingerprint, and cryptographically secure random data — then hashes them together and encodes the result in base36. Mixing independent sources keeps collision odds negligible across many machines without coordination.

Secure by design

Because every input passes through a one-way hash, a CUID2 reveals nothing about when or where it was created and cannot be reverse-engineered. It is not meant to be a secret token, but it avoids the information leakage of sequential ids.

Configurable length

The default length is 24 characters. You can request longer ids to push collision probability even lower for very large datasets, or shorter ones when space matters and a slightly higher collision risk is acceptable.

Not sortable — the trade-off

Unlike UUID v7 or the old CUID, CUID2 is deliberately not sortable by creation time. This protects privacy, but it means you cannot rely on the id for chronological ordering — add a separate timestamp column if you need that.

When to use it

A good default for application-level ids (users, sessions, records) when you want short, URL-safe, unguessable identifiers and do not need database-native time ordering. If sortable keys matter most, UUID v7 may fit better.

© 2026 Unique ID Generator by meluiz