CUID2 Validator

What is a CUID2?

CUID2 (Collision-resistant Unique IDentifier, version 2) is a modern scheme for generating unique ids in distributed systems. It is the successor to the now-deprecated CUID v1, redesigned with security and privacy as the primary goals. A CUID2 looks like tz4a98xxat96iws9zmbrgj3a: lowercase base36 characters only.

Format rules

• Characters are lowercase base36: digits 0-9 and letters a-z.
• The id MUST start with a letter, never a digit.
• Default length is 24 characters, but it is configurable from 2 to 32.
• No hyphens, no uppercase, no special characters.

Validation therefore checks the character set, the leading-letter rule, and the length range.

Why CUID2 over CUID v1

CUID v1 embedded a timestamp, a counter, and a host fingerprint, which could leak information (creation time, generation rate, machine identity). CUID2 instead hashes a pool of entropy with SHA3, so the output leaks no such metadata. The trade-off: a CUID2 is not lexicographically sortable by creation time. If you need ids that sort chronologically, reach for ULID or UUIDv7 instead.

CUID2 vs other id schemes

• UUID — 128-bit, hex with hyphens; standardized but longer and (v4) random.
• NanoID — compact, configurable alphabet; great for URLs but no privacy guarantees by design.
• ULID — time-sortable and Crockford base32; opposite trade-off to CUID2.
• CUID2 — privacy-first, collision-resistant, but not sortable.

Common pitfalls

• Allowing an id that starts with a digit — invalid for CUID2.
• Accepting uppercase letters; CUID2 is strictly lowercase.
• Assuming you can sort records by their CUID2 to get chronological order — you cannot.
• Confusing CUID2 with the deprecated CUID v1 (which started with the letter c and was longer).

FAQ

Can two CUID2s ever collide? The design makes collisions astronomically unlikely across distributed generators, which is the whole point — but no scheme is mathematically collision-free, so it is "collision-resistant," not "collision-impossible."

Why not just use UUIDv4? Both are random and unsortable; CUID2 is shorter, URL-friendly (no hyphens), and explicitly hardened against metadata leakage.

What length should I use? The default 24 is a good balance. Shorter ids raise collision risk; you only need longer ones for extremely high-volume generation.