Skip to content
Cline

Random String

Random String generator creates cryptographically secure alphanumeric identifiers using Laravel’s Str::random() helper, ideal for tokens, passwords, and general-purpose unique identifiers.

What is Random String?

Section titled “What is Random String?”

Random String generates secure, alphanumeric identifiers:

  • Cryptographically secure: Uses random_bytes() internally
  • Alphanumeric: Contains only a-z, A-Z, 0-9
  • Configurable length: Any length you need
  • Lightweight: Fast generation
  • Laravel native: Leverages Laravel’s proven implementation

Example Random String: aB3dEf9Hi2kLmN5pQ7r

Basic Usage

Section titled “Basic Usage”

Generate random strings with default or custom length:

use Cline\StronglyTypedId\Generators\RandomStringGenerator;


// Default 21-character string
$generator = new RandomStringGenerator();
$id = $generator->generate();
// "aB3dEf9Hi2kLmN5pQ7rSt"


// Custom length
$generator = new RandomStringGenerator(length: 16);
$token = $generator->generate();
// "aB3dEf9Hi2kLmN5p"

Common Use Cases

Section titled “Common Use Cases”

API Tokens

Section titled “API Tokens”
// 32-character API token
$generator = new RandomStringGenerator(length: 32);
$apiToken = $generator->generate();
// "aB3dEf9Hi2kLmN5pQ7rStUv1Wx2Yz3A4"

Session IDs

Section titled “Session IDs”
// 40-character session identifier
$generator = new RandomStringGenerator(length: 40);
$sessionId = $generator->generate();

Verification Codes

Section titled “Verification Codes”
// 6-character verification code (still alphanumeric)
$generator = new RandomStringGenerator(length: 6);
$code = $generator->generate();
// "aB3dEf"

Reset Tokens

Section titled “Reset Tokens”
// 64-character password reset token
$generator = new RandomStringGenerator(length: 64);
$resetToken = $generator->generate();

Value Object Integration

Section titled “Value Object Integration”

Create strongly-typed random string IDs:

use Cline\StronglyTypedId\Generators\RandomStringGenerator;
use Cline\StronglyTypedId\ValueObjects\StronglyTypedId;


final readonly class ApiToken extends StronglyTypedId
{
    protected static function generator(): IdGeneratorInterface
    {
        return new RandomStringGenerator(length: 32);
    }
}


// Usage
$token = ApiToken::generate();
echo $token; // "aB3dEf9Hi2kLmN5pQ7rStUv1Wx2Yz3A4"

Laravel Model Integration

Section titled “Laravel Model Integration”

Use with Eloquent models:

use Illuminate\Database\Eloquent\Model;


class ApiKey extends Model
{
    protected $casts = [
        'token' => ApiToken::class,
    ];


    protected static function booted(): void
    {
        static::creating(function (ApiKey $key) {
            $key->token = ApiToken::generate();
        });
    }
}

Migration:

Schema::create('api_keys', function (Blueprint $table) {
    $table->id();
    $table->string('token', 32)->unique();
    $table->timestamps();
});

Combining with Prefixed IDs

Section titled “Combining with Prefixed IDs”

Create prefixed random string IDs:

use Cline\StronglyTypedId\Generators\PrefixedIdGenerator;
use Cline\StronglyTypedId\Generators\RandomStringGenerator;


// Session ID with prefix
$generator = new PrefixedIdGenerator(
    'sess',
    new RandomStringGenerator(length: 40)
);
$sessionId = $generator->generate();
// "sess_aB3dEf9Hi2kLmN5pQ7rStUv1Wx2Yz3A4B5C6D7"

Security Characteristics

Section titled “Security Characteristics”

Randomness Source

Section titled “Randomness Source”
  • Uses PHP’s random_bytes() via Laravel’s Str::random()
  • Cryptographically secure random number generator (CSPRNG)
  • Suitable for security-sensitive applications

Entropy Calculation

Section titled “Entropy Calculation”

For alphanumeric charset (62 characters: a-z, A-Z, 0-9):

LengthEntropyCollision Resistance
6 chars~36 bits~68 billion combinations
16 chars~95 bits~3.5×10²⁸ combinations
21 chars~125 bits~5.2×10³⁷ combinations
32 chars~190 bits~1.6×10⁵⁷ combinations

Use for Security Tokens

Section titled “Use for Security Tokens”
// High-entropy token for password reset
$generator = new RandomStringGenerator(length: 64);
$resetToken = $generator->generate();
// 381 bits of entropy - extremely secure

Database Storage

Section titled “Database Storage”

Store as VARCHAR with exact length:

Schema::create('tokens', function (Blueprint $table) {
    $table->string('token', 32)->unique(); // Exact length
    $table->timestamp('expires_at');
    $table->timestamps();
});

Index for lookups:

$table->string('token', 32)->unique()->index();

Length Recommendations

Section titled “Length Recommendations”
Use CaseRecommended LengthRationale
Public IDs21Balance of security and usability
API Keys32High security, reasonable length
Session IDs40Session fixation resistance
Password Reset64Maximum security for sensitive ops
Verification Codes6-8User-friendly while secure enough
Internal Tokens16Fast generation, adequate security

Random String vs Other Generators

Section titled “Random String vs Other Generators”

vs UUID

Section titled “vs UUID”
  • Random String: Shorter, configurable length, alphanumeric only
  • UUID: Standardized, 36 chars with hyphens, time-ordered variants

vs NanoID

Section titled “vs NanoID”
  • Random String: Pure alphanumeric (62 chars)
  • NanoID: URL-safe with _- (64 chars), configurable alphabet

vs Random Bytes

Section titled “vs Random Bytes”
  • Random String: Alphanumeric output
  • Random Bytes: Hexadecimal output (only 16 chars)

vs Sqids

Section titled “vs Sqids”
  • Random String: Pure random, not encodeable/decodeable
  • Sqids: Encodes numbers, deterministic, decodeable

Best Practices

Section titled “Best Practices”

Token Storage

Section titled “Token Storage”
// Hash tokens before storage (for API keys)
use Illuminate\Support\Facades\Hash;


$generator = new RandomStringGenerator(length: 32);
$plainToken = $generator->generate();
$hashedToken = Hash::make($plainToken);


// Store $hashedToken in database
// Return $plainToken to user (only once)

Expiration Handling

Section titled “Expiration Handling”
Schema::create('tokens', function (Blueprint $table) {
    $table->string('token', 32)->unique();
    $table->timestamp('expires_at')->index();
    $table->timestamps();
});


// Query only non-expired tokens
Token::where('expires_at', '>', now())
    ->where('token', $plainToken)
    ->first();

Rate Limiting Token Generation

Section titled “Rate Limiting Token Generation”
use Illuminate\Support\Facades\RateLimiter;


public function generateApiToken()
{
    RateLimiter::attempt(
        'generate-token:'.$this->user->id,
        $perMinute = 5,
        function () {
            $generator = new RandomStringGenerator(length: 32);
            return $generator->generate();
        }
    );
}

Use Cases

Section titled “Use Cases”

Choose Random String when:

  • Generating API tokens
  • Creating session identifiers
  • Building password reset tokens
  • Needing verification codes
  • Want pure alphanumeric output
  • Leveraging Laravel’s ecosystem

Choose other generators for:

  • UUID: Need time-ordered IDs or RFC compliance
  • NanoID: Want URL-safe with custom alphabet
  • Random Bytes: Need hexadecimal output
  • Sqids: Need encodeable/decodeable IDs