Promo Code Validator

Promo code anatomy: how Stripe, Shopify and Magento think about coupons

A promotional code is a short, human-readable string that maps to a discount, free shipping, gift item or feature unlock. While the implementation differs across e-commerce platforms, the structure converges on a small set of conventions: uppercase alphanumeric, 6 to 20 characters, optional hyphens for readability. Examples in production: BLACKFRIDAY30 (Stripe Coupons API), SAVE10 (Shopify Discount API), WINTER24-VIP (Magento Cart Rules), ALICE-2024-X8M (WooCommerce personalized codes).

Validation at the input level should be permissive and forgiving: accept upper and lowercase (normalize server-side), strip whitespace, allow hyphens. Hard-rejecting invalid characters in the input box is fine; surfacing a friendly message is better than a silent regex failure. This tool performs that first-line format check before your backend hits the database for uniqueness, expiry and per-user-quota validation.

Code-generation patterns in production

• Generic campaign: short brandable strings — BLACKFRIDAY, SAVE20, FREESHIP. Shared by all users, easy to brute-force, must rely on quota and expiry.
• Time-bound: WINTER24, SPRING24, Q1-LAUNCH. Same risk profile but bounded by expiry date.
• Tier-bound: VIP10, GOLD20, STUDENT15. Validated against the user's segment in the backend.
• Unique per-user: ALICE-2024-X8M, USR-A1B2C3. Generated server-side, stored in a coupon table, single-use, anti-share.
• Affiliate / influencer: INFLUENCERNAME10. Brand prefix + percent off. Tracks attribution via UTM.

Anti-fraud techniques every coupon engine needs

• Rate limit: cap attempts per IP and per user — 5 wrong codes in 60 seconds is a red flag.
• Expiry date: hard cutoff in UTC, not local time. expires_at <= NOW() -> 410 Gone.
• Max uses: used_count >= max_uses -> 410 Gone. Use a row lock or atomic UPDATE ... WHERE used_count < max_uses.
• Per-user quota: uses_per_user = 1 blocks signup-bonus farming via fake emails.
• Order minimum: min_subtotal_cents prevents 1-cent purchases that abuse free shipping.
• Stack rules: explicitly mark which coupons combine with each other; default to "no stacking" to avoid combined-discount fraud.

Common attack vectors

• Brute force: 4-character codes have a search space of 36^4 ~ 1.6M and are trivially brute-forceable. Use at least 8 chars of entropy and rate limit.
• Coupon stacking: combining several discounts that were never meant to coexist. Defend with explicit stacking rules and full-cart validation.
• Account creation farming: bots create fake accounts to redeem signup-bonus codes. Defend with email verification, device fingerprinting and CAPTCHAs at the redeem step.
• Code leakage via aggregators: Honey, Capital One Shopping and RetailMeNot scrape and broadcast codes within hours. Mitigate with personalized codes, short expiry windows and per-user quotas.
• Refund chaining: redeem, refund, redeem again. Mark coupon usage non-reversible by default.

Tooling and libraries

Platform APIs that abstract most of this work: Stripe Coupons (POST /v1/coupons), Shopify DiscountCode (Admin GraphQL), Magento Cart Rules, WooCommerce Coupons (REST). For self-hosted code generation, npm packages voucher-code-generator and couponcodes emit random codes with configurable pattern, charset and count. Both support CSV export for bulk email campaigns. Brazilian e-commerce — Magazine Luiza, Americanas, Mercado Livre — has a heavy coupon culture and uses these generators (or in-house equivalents) at scale.

Design checklist for a healthy coupon

• Length 8-12 chars for shareable codes; 16-20 for unique single-use codes.
• Charset A-Z 0-9; skip 0/O and 1/I/L to reduce transcription errors.
• Case-insensitive comparison server-side; users will type lowercase.
• Hyphens every 4-6 chars when length >= 12: improves typing accuracy.
• Always log code_attempted and code_redeemed separately for analytics and abuse review.

FAQ

What is the ideal length for a promo code?

8-12 characters for marketing codes shared with many users (memorable), 16-20 for single-use personalized codes (high entropy). Below 6 chars is brute-forceable; above 20 hurts transcription accuracy.

Case sensitive or not?

Prefer case-insensitive. Users routinely type in lowercase even when the print campaign was uppercase. Normalize to uppercase before comparing to your database.

Can I reuse an expired code?

Technically yes, but it is rarely a good idea. Expired codes may have leaked to aggregators (Honey, RetailMeNot). If you do reuse, change at least 2 characters to avoid being matched by their cached signatures.

Should I allow hyphens or special chars?

Hyphens, yes — they improve readability in printed material. Other special chars (!, @, %) introduce keyboard ambiguity across locales and break shell pasting; avoid them.

How do I protect against code aggregators?

Use personalized codes tied to user accounts, set short expiry windows (24-72 hours), enforce per-user quotas and monitor redemption velocity. If you see a single code redeemed 1000+ times within minutes, it has been broadcast.