DEV Community: Sammit Pal The latest articles on DEV Community by Sammit Pal (@sammitpal). https://dev.to/sammitpal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3846941%2F13fb36d7-0558-49e6-94f2-1b3832c5b02a.png DEV Community: Sammit Pal https://dev.to/sammitpal en genkode — Random ID & String Generator for Node.js Sammit Pal Sun, 29 Mar 2026 14:59:51 +0000 https://dev.to/sammitpal/genkode-random-id-string-generator-for-nodejs-1nb6 https://dev.to/sammitpal/genkode-random-id-string-generator-for-nodejs-1nb6 <p>Generating random strings comes up constantly in backend work — session tokens, invoice numbers, API keys, temporary codes, test data. Most of the time you end up copy-pasting the same <code>Math.random().toString(36)</code> snippet or reaching for a heavy library when you only need one function.</p> <p>I built <strong>genkode</strong> to fix that for myself, and after using it across a few projects I cleaned it up and published it. Zero dependencies, full TypeScript support, and a small focused API that handles the cases I kept running into.</p> <p>Here's what it does and how I built it.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>genkode </code></pre> </div> <h2> The basics </h2> <p>The main export is <code>generateCode</code>. At its simplest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">generateCode</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">genkode</span><span class="dl">'</span><span class="p">;</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span> <span class="p">});</span> <span class="c1">// → 'rqfvYxJRWfoP' (alpha by default)</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">alphanumeric</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'aZ8kL2pQ9xW1'</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">numeric</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → '362128126198'</span> </code></pre> </div> <p>Three types: <code>alpha</code>, <code>numeric</code>, <code>alphanumeric</code>. That covers most cases without any configuration overhead.</p> <h2> Cryptographically secure mode </h2> <p>By default the library uses <code>Math.random</code> — fast, but not suitable for anything security-sensitive. Set <code>secure: true</code> and it switches to <code>crypto.getRandomValues</code> from the Web Crypto API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">32</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">alphanumeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// → 'Tz3mW8qA1nXpKj7rBv2cYs9dLf4mNe6h'</span> </code></pre> </div> <p>There's an important subtlety here though: naively doing <code>byte % charsetLength</code> introduces <strong>modulo bias</strong> — characters at the start of your charset get picked slightly more often than characters at the end when 256 doesn't divide evenly by your charset size.</p> <p>genkode uses <strong>rejection sampling</strong> to eliminate this. Any random byte that would cause bias is discarded and a new one is fetched. The result is a perfectly uniform distribution across the charset.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Internal logic (simplified)</span> <span class="kd">const</span> <span class="nx">threshold</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="mi">256</span> <span class="o">/</span> <span class="nx">max</span><span class="p">)</span> <span class="o">*</span> <span class="nx">max</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">byte</span> <span class="o">&lt;</span> <span class="nx">threshold</span><span class="p">)</span> <span class="p">{</span> <span class="nx">result</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">charset</span><span class="p">[</span><span class="nx">byte</span> <span class="o">%</span> <span class="nx">max</span><span class="p">]);</span> <span class="p">}</span> <span class="c1">// Otherwise discard and try again</span> </code></pre> </div> <h2> Performance: buffered generation </h2> <p>Both standard and secure modes use <strong>buffered byte generation</strong> rather than calling <code>crypto.getRandomValues</code> once per character. The buffer is sized to the request (capped at 65,536 bytes, which is Node's hard limit for a single <code>getRandomValues</code> call) and refilled in chunks as needed.</p> <p>For most use cases this is invisible, but for high-volume batch generation it makes a meaningful difference.</p> <h2> Prefix and suffix </h2> <p>A pattern I kept needing: codes with a static prefix that identify their type at a glance — <code>INV-</code> for invoices, <code>USR-</code> for users, <code>TKN-</code> for tokens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">INV-</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'INV-rqfvYxJR'</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ORD-</span><span class="dl">"</span><span class="p">,</span> <span class="na">suffix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">-2025</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'ORD-rqfvYxJR-2025'</span> </code></pre> </div> <p>The <code>length</code> always refers to the generated segment — not the total string length including affixes. So <code>INV-</code> + 8 chars = 12 characters total.</p> <h2> Batch generation </h2> <p>Pass <code>count</code> and you get an array back instead of a single string. The return type is overloaded in TypeScript so you get correct inference automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">count</span><span class="p">:</span> <span class="mi">5</span> <span class="p">});</span> <span class="c1">// → ['rqfvYxJRWf', 'TzAmW8qAnX', 'pLkQmNbVcD', 'HgFsJwKyRt', 'MnPxZuCvBe']</span> </code></pre> </div> <p>Add <code>unique: true</code> and the library guarantees no duplicates in the batch. If you ask for more unique codes than the charset and length combination can produce, it throws a <code>KodeError</code> upfront rather than looping forever:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">count</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// → string[] with 1000 guaranteed-unique codes</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">numeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">count</span><span class="p">:</span> <span class="mi">11</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// → throws KodeError: cannot generate 11 unique codes from charset of size 10</span> </code></pre> </div> <h2> Short ID mode </h2> <p>The <code>shortId</code> flag switches to a reduced charset that strips visually ambiguous characters — <code>0</code>, <code>O</code>, <code>1</code>, <code>l</code>, <code>I</code>. These are the characters that cause support tickets when users misread a code from a screen or printout.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">shortId</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// → '3Ks9mBx4nPqR' — no 0/O/1/l/I</span> </code></pre> </div> <p>The charset is <code>23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ</code> — 54 characters, still high entropy, fully URL-safe.</p> <h2> Case control </h2> <p>Sometimes you need all uppercase (licence keys, voucher codes) or all lowercase (slugs, usernames). The <code>case</code> option handles this at the charset level rather than post-processing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">case</span><span class="p">:</span> <span class="dl">"</span><span class="s2">upper</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'RQFVYXJRWFOP'</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">case</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lower</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'rqfvyxjrwfop'</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">alphanumeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">case</span><span class="p">:</span> <span class="dl">"</span><span class="s2">upper</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'AZ8KL2PQ9XW1'</span> </code></pre> </div> <p>It composes cleanly with everything else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Human-readable voucher code: no ambiguous chars, all caps</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">shortId</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">case</span><span class="p">:</span> <span class="dl">"</span><span class="s2">upper</span><span class="dl">"</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SALE-</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'SALE-3KS9MBXN'</span> </code></pre> </div> <h2> Error handling </h2> <p>Rather than silently producing garbage for invalid inputs, genkode throws a typed <code>KodeError</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">generateCode</span><span class="p">,</span> <span class="nx">KodeError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">genkode</span><span class="dl">'</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">0</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">KodeError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="c1">// → 'length must be at least 1, got: 0'</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>It validates that <code>length</code> and <code>count</code> are integers, that <code>length</code> is between 1 and 100,000, and that unique batch requests are actually satisfiable.</p> <h2> Quick reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>Type</th> <th>Default</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>length</code></td> <td><code>number</code></td> <td>—</td> <td>Required. Length of the generated segment (1–100,000)</td> </tr> <tr> <td><code>type</code></td> <td><code>"alpha"</code></td> <td><code>"numeric"</code></td> <td><code>"alphanumeric"</code></td> </tr> <tr> <td><code>case</code></td> <td><code>"upper"</code></td> <td><code>"lower"</code></td> <td>—</td> </tr> <tr> <td><code>secure</code></td> <td><code>boolean</code></td> <td><code>false</code></td> <td>Cryptographically secure output</td> </tr> <tr> <td><code>prefix</code></td> <td><code>string</code></td> <td><code>""</code></td> <td>Static prefix</td> </tr> <tr> <td><code>suffix</code></td> <td><code>string</code></td> <td><code>""</code></td> <td>Static suffix</td> </tr> <tr> <td><code>count</code></td> <td><code>number</code></td> <td>—</td> <td>Batch size — returns <code>string[]</code> </td> </tr> <tr> <td><code>unique</code></td> <td><code>boolean</code></td> <td><code>false</code></td> <td>Guarantee uniqueness within batch</td> </tr> <tr> <td><code>shortId</code></td> <td><code>boolean</code></td> <td><code>false</code></td> <td>Exclude ambiguous characters</td> </tr> </tbody> </table></div> <h2> Real-world examples </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// API key</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">32</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">alphanumeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk_live_</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'sk_live_Tz3mW8qA1nXpKj7rBv2cYs9dLf4m'</span> <span class="c1">// Invoice number</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">numeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">INV-</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'INV-36212812'</span> <span class="c1">// Voucher code (human-readable, no ambiguous chars)</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">shortId</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">case</span><span class="p">:</span> <span class="dl">"</span><span class="s2">upper</span><span class="dl">"</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SALE-</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → 'SALE-3KS9MBXN'</span> <span class="c1">// Seed 100 unique test user IDs</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">count</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user_</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// → ['user_rqfvYxJRWfoP', ...]</span> <span class="c1">// Short session token</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">alphanumeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// → 'Tz3mW8qA1nXpKj7rBv2cYs9d'</span> </code></pre> </div> <h2> Links </h2> <ul> <li> <strong>npm:</strong> <a href="https://www.npmjs.com/package/genkode" rel="noopener noreferrer">npmjs.com/package/genkode</a> </li> <li> <strong>Related JS-only package:</strong> <a href="https://www.npmjs.com/package/node-mumble" rel="noopener noreferrer">node-mumble</a> </li> </ul> <p>If you find it useful or have a feature in mind, feedback is welcome. Happy to discuss the rejection sampling approach or the buffering strategy in the comments too.</p> node typescript npm opensource Building a Zero-Dependency Random String Generator for Node.js (With Secure Mode) Sammit Pal Sat, 28 Mar 2026 06:27:50 +0000 https://dev.to/sammitpal/building-a-zero-dependency-random-string-generator-for-nodejs-with-secure-mode-2l29 https://dev.to/sammitpal/building-a-zero-dependency-random-string-generator-for-nodejs-with-secure-mode-2l29 <p>Generating random strings is one of those things every backend developer ends up doing — IDs, tokens, session keys, you name it.</p> <p>But while working on this, I realized most implementations fall into a few common traps:</p> <ul> <li>Using <code>Math.random()</code> everywhere (not secure)</li> <li>Inefficient "generate + filter" logic</li> <li>Pulling heavy dependencies for a simple problem</li> </ul> <p>So I decided to build a clean solution from scratch — and learned a few interesting things along the way.</p> <h2> ❌ The Common Mistake </h2> <p>A lot of implementations generate from a full alphanumeric charset and then filter results using a regex check inside the loop — only keeping characters that match the desired type. This means:</p> <p><strong>Problems:</strong></p> <ul> <li>Wastes iterations (filtering)</li> <li>Uses regex inside loops</li> <li>Performance depends on randomness</li> <li>Hard to maintain</li> </ul> <h2> ✅ A Better Approach </h2> <p>Instead of generating and filtering — generate directly from the correct character set. Pre-define separate charsets for alpha, numeric, and alphanumeric, then index into the right one. This eliminates filtering entirely and keeps every iteration productive.</p> <h2> 🔐 Adding a Secure Layer </h2> <p>For things like API keys, auth tokens, and session IDs — <code>Math.random()</code> is not enough.</p> <p>So I implemented a secure version using the Web Crypto API (<code>crypto.getRandomValues</code>), with rejection sampling to eliminate modulo bias — ensuring every character in the charset has a perfectly uniform probability of being chosen.</p> <h2> 🧠 Why This Matters </h2> <p><strong>🔹 Cryptographic randomness</strong><br> Uses OS-level entropy instead of pseudo-random numbers.</p> <p><strong>🔹 No modulo bias</strong><br> Ensures uniform distribution of characters.</p> <p><strong>🔹 Predictable performance</strong><br> O(n) complexity with no wasted iterations.</p> <h2> ⚡ Final API Design </h2> <p>I wrapped everything into a simple interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span> <span class="p">});</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">alpha</span><span class="dl">"</span> <span class="p">});</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> </code></pre> </div> <h2> 📦 The Result </h2> <p>I packaged this into a small utility: <strong>genkode</strong> — random string &amp; ID generator (zero dependency).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">generateCode</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">genkode</span><span class="dl">"</span><span class="p">;</span> <span class="nf">generateCode</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">10</span> <span class="p">});</span> <span class="c1">// "a8KxP2LmQz"</span> </code></pre> </div> <p>👉 <a href="https://www.npmjs.com/package/genkode" rel="noopener noreferrer">https://www.npmjs.com/package/genkode</a></p> <h2> 💡 Key Takeaways </h2> <ul> <li>Avoid generate + filter patterns</li> <li>Use the correct character domain upfront</li> <li>Use <code>crypto</code> for anything security-related</li> <li>Keep utilities simple and dependency-free</li> </ul> <p>If you've tackled this differently or have suggestions, I'd love to hear them 👇</p> node javascript typescript opensource