hashids

Generate short unique ids from integers


available in JavaScript, Ruby, Python, Java, Scala, PHP, Perl, Swift, Objective-C, C, C++11, Go, Lua, Elixir, ColdFusion, Groovy, Kotlin, Nim, VBA, CoffeeScript and for Node.js & .NET

Hashids is a small open-source library that generates short, unique, non-sequential ids from numbers.

It converts numbers like 347 into strings like “yr8”, or array of numbers like [27, 986] into “3kTMd”.

You can also decode those ids back. This is useful in bundling several parameters into one or simply using them as short UIDs.

Are you also using Hashids? Add your project.

Node.js version

var hashids = new Hashids("this is my salt"),
  id = hashids.encode(1, 2, 3),
  numbers = hashids.decode(id);

Implemented by Ivan Akimovhttps://github.com/ivanakimov/hashids.node.js
Also check out:

Features

  1. Create short unique ids.
  2. Allow custom alphabet as well as salt — so ids are unique only to you.
  3. Incremental input is mangled to stay unguessable.
  4. Code is tiny (~350 lines), fast and does not depend on external libraries.

Compatibility table

Current stable version across implementations is 1.0. We're in the process of updating all versions to 1.0, so please be patient. Versions are tagged as major.minor.patch — we try to follow SemVer but be sure to check the changelog of each library for details.

Since produced ids might differ after updates, be sure to include exact version of Hashids, so you don't unknowingly change your existing ids. For example for npm use:

JSON"dependencies": {
  "hashids": "1.0.0"
}

And not: "hashids": "~1.0.0"

  • JavaScript
    Ruby
    Python
    Java
    Scala
    PHP
    Perl
    Swift
    Objective-C
    C
    C++11
    Go
    Lua
    Elixir
    ColdFusion
    Groovy
    Node.js
    .Net
    Kotlin
    Nim
    VBA
    CoffeeScript
  • 1.0.* (stable)
  • 0.3.* (previous)

How does it work?

Hashids works similarly to the way integers are converted to hex, but with a few exceptions:

  1. The alphabet is not base16, but base base62 by default.
  2. The alphabet is also shuffled based on salt.

This JavaScript function shows regular conversion of integers to hex. It's part of Hashids (although this is a modified example):

JavaScriptfunction toHex(input) {
  
  var hash = "",
    alphabet = "0123456789abcdef",
    alphabetLength = alphabet.length;
  
  do {
    hash = alphabet[input % alphabetLength] + hash;
    input = parseInt(input / alphabetLength, 10);
  } while (input);
  
  return hash;
  
}

#%@&$!!11

bouncercat awesomed by cameronmcefee

We need ids to be nice and friendly especially if they end up being in the URL.

Therefore, the algorithm tries to avoid generating most common English curse words by never placing the following letters (and their uppercase equivalents) next to each other:

c, s, f, h, u, i, t

This is done by using them as separators.

Are there any alternatives?

Yes, there are a few and you should pick the most appropriate for the job. Hashids is not perfect for everything.

  1. Base64 encode. This is the most straightforward approach — most languages have these functions. If you don't need all the fancy extras Hashids has to offer, this method will work just fine. It'll probably be faster too. Read more.
  2. Generate ids based on timestamp. If you can afford certain degree of collisions, you could compose an id that's built on the fly. Use a counter (if you have one) + timestamp (even better if in milliseconds) + some system value (either an IP address or some machine id) + a random integer. Many big companies implement this approach because it works well in distributed systems. These ids are generated independently of each other and the risk of collisions is so tiny it's negligible.
  3. Check out how others do it:

    - How does Instagram generate ids?

  4. Know of another method? Tell me @IvanAkimov or ivanbarreleyecom

What not to do

  1. Do not encode strings. We've had several requests to add this feature — "it seems so easy to add". We will not add this feature for security purposes, doing so encourages people to encode sensitive data, like passwords. This is the wrong tool for that.
  2. Do not encode sensitive data. This includes sensitive integers, like numeric passwords or PIN numbers. This is not a true encryption algorithm. There are people that dedicate their lives to cryptography and there are plenty of more appropriate algorithms: bcrypt, md5, aes, sha1, blowfish. Here's a full list.

Collisions

There are no collisions because the method is based on integer to hex conversion. As long as you don't change constructor arguments midway, the generated output will stay unique to your salt.

Additionally, we encourage you to pre-generate a large number of ids for testing purposes — to analyze their uniqueness, whether they look random enough for your project and what your upper integer limit is (which usually depends on your system/language).

Please note that generated ids are case-sensitive by default ("Aaa" is not the same id as "aaa").

Why "hashids"?

Originally the project referred to generated ids as hashes, and obviously the name hashids has the word hash in it. Technically, these generated ids cannot be called hashes since a cryptographic hash has one-way mapping (cannot be decrypted).

However, when people search for a solution, like a "youtube hash" or "bitly short id", they usually don't really care of the technical details. So hashids stuck as a term — an id that's used to obfuscate numbers.

Decoding without salt

There is no way to decode the output without knowing the salt (refer to how hashids works). The only known way is to use a brute-force attack.

How to contribute

If you've found a bug, please open a github issue in the appropriate repository. Bonus points if you submit a pull request with it.

If an implementation in your favorite language is missing, feel free to port it over from one of the existing versions. There's still plenty of languages to contribute in: D, Rust, Julia, Erlang, Haskell, Scheme, Tcl, Lolcode?

We try to keep the library versions compatible. If you see an outdated version in an existing implementation, please open a github issue in that repository — show your +1 support for that issue.

If you have a new library, plugin or extension ping me @IvanAkimov. You can also reach me at ivanbarreleyecom

codercat by cameronmcefee

Are you using Hashids?

Whether it's an open-source project or a commercial product, tell us at https://github.com/hashids/hashids.github.io/wiki/Who's-Using-Hashids !

Hashids elsewhere

If you have a question about Hashids, a lot has already been answered. Try checking one of these:

Maintainers

Many thanks to the numerous folks that have implemented the different versions, plugins, extensions as well as to those that have suggested general improvements.

License

All hashids libraries are under MIT license. You can use them in open source projects and commercial products. Don't break the Internet. Kthxbye.