{"id":2526,"library":"hashids","title":"Hashids","description":"Hashids is a small library that generates short, unique, and non-sequential IDs from numbers. It's often used for obfuscating database IDs in URLs, tracking, or invitation codes, providing a user-friendly and URL-safe representation of integers without exposing their underlying numeric values. The current version is 1.3.1. It is mostly in maintenance mode, as a new version called Sqids is the recommended successor.","status":"maintenance","version":"1.3.1","language":"en","source_language":"en","source_url":"https://github.com/davidaurelio/hashids-python","tags":["id obfuscation","url shortener","encoding","decoding","non-sequential ids","hashids"],"install":[{"cmd":"pip install hashids","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"note":"While functional, directly importing `Hashids` is the idiomatic way to use the constructor.","wrong":"import hashids; hashids.Hashids()","symbol":"Hashids","correct":"from hashids import Hashids"}],"quickstart":{"code":"from hashids import Hashids\n\n# Instantiate with optional salt and minimum hash length for better obfuscation\n# Using a salt makes your hashes unique to your application.\n# min_length ensures all generated hashes are at least that long.\n# For production, consider getting the salt from environment variables.\nhashids = Hashids(salt=\"my-super-secret-salt-from-env\", min_length=8)\n\n# Encode one or more integers into a hashid string\nid_to_encode = 12345\nencoded_id = hashids.encode(id_to_encode)\nprint(f\"Encoded {id_to_encode}: {encoded_id}\")\n\nmultiple_ids_to_encode = (1, 2, 3)\nencoded_multiple = hashids.encode(*multiple_ids_to_encode)\nprint(f\"Encoded {multiple_ids_to_encode}: {encoded_multiple}\")\n\n# Decode a hashid string back to its original integers (as a tuple)\ndecoded_ints = hashids.decode(encoded_id)\nprint(f\"Decoded '{encoded_id}': {decoded_ints}\")\n\ndecoded_multiple = hashids.decode(encoded_multiple)\nprint(f\"Decoded '{encoded_multiple}': {decoded_multiple}\")","lang":"python","description":"This quickstart demonstrates how to initialize the `Hashids` class with a salt and minimum length, then encode single or multiple integers into a hashid string, and finally decode the hashid back to the original integers."},"warnings":[{"fix":"Always combine Hashids with proper authorization and never treat the generated IDs as secure tokens. For cryptographic needs, use libraries like `passlib` or `cryptography`.","message":"Hashids is for obfuscation, not security or cryptography. It is reversible and should not be used for sensitive data, passwords, or any scenario requiring true cryptographic hashing.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your Python `hashids` version matches the expected JavaScript `hashids` version for cross-language compatibility. For new projects, stick to the latest versions.","message":"The default alphabet was changed in versions 1.0.0 and above. If you need compatibility with hashids.js v0.1.x, you must install hashids-python v0.8.4. For hashids.js v0.3.x+, use hashids-python v1.0.2+.","severity":"breaking","affected_versions":"1.0.0+"},{"fix":"Always initialize `Hashids` with a strong, unique, and secret salt string. Ideally, retrieve this salt from environment variables or a secure configuration system.","message":"Using a unique `salt` value is crucial. Without a salt (or with a commonly known one), different applications would generate the same hash for the same number, making it easy to guess or reverse.","severity":"gotcha","affected_versions":"All versions"},{"fix":"For new projects, consider using 'Sqids' (pip install sqids) instead of 'Hashids'. For existing projects, be aware that Hashids is largely in maintenance mode.","message":"The original creator of Hashids has introduced an improved and rebranded library called 'Sqids'. While Hashids is still maintained, Sqids is the recommended successor for new projects, offering a simplified API, consistent output across languages, and clearer goals.","severity":"deprecated","affected_versions":"All versions"},{"fix":"Always implement robust authorization checks on your backend endpoints, regardless of whether you're using plain IDs or Hashids. Hashids is a layer of obfuscation, not a security control.","message":"Hashids does not prevent enumeration attacks on its own. While it obfuscates sequential IDs, if an attacker can simply increment/decrement the generated hash and get valid responses, it can still expose the total number of records or allow unauthorized access if not backed by proper authorization.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}