Each Founder gets a unique, shareable referral link. The slug in that link must be:
Cryptographically random — not guessable from any user attribute.
URL-safe — no characters that require percent-encoding in a path segment.
Short enough to share in plain text (chat, email, social).
Collision-resistant at the expected Founders cohort size (target 250; design envelope 10,000).
Three practical options existed: sequential integer IDs, UUID v4, and short random base64url tokens.
Decision
Generate 6 random bytes via os.urandom(6) (or platform CSPRNG equivalent), base64url-encode (RFC 4648 §5, no padding), yielding an 8-character URL-safe slug.
Link format: https://getraxx.com/r/{8-char-slug}
On collision (DB UNIQUE violation on slug): retry up to 3 times, then raise an application error. Collision is expected once every ~281 trillion slugs at any practical cohort size.
Consequences
Positive
No CSPRNG dependency beyond the standard library.os.urandom is available in Python 3.x and uses the OS entropy source (getrandom syscall on Linux, CryptGenRandom on Windows).
8 characters is short and shareable — fits in a tweet, a text, a Slack message without wrapping.
48 bits of entropy. Birthday paradox: at 10,000 slugs, collision probability ≈ 1.8 × 10^−9. At 1,000,000 slugs it is still < 0.2%. For the Founders cohort (target 250), it is effectively zero.
No user attribute leakage. Slugs carry no information about the Founder's ID, email, or join date.
Negative
Not length-extensible without a migration. If entropy requirements change (e.g., we open referrals to 100M users), the slug column length and the generation logic must both change. Acceptable for v1 given the Founders cohort ceiling.
Requires a DB round-trip for collision check. A UNIQUE index makes this safe; the retry budget of 3 is ample.
Alternatives considered
UUID v4 (128-bit / 36 chars)
UUID v4 is cryptographically sound and collision-resistant. Rejected because it produces 36-character strings including hyphens, which are cumbersome to share verbally or in short messages. The URL would be https://getraxx.com/r/550e8400-e29b-41d4-a716-446655440000 — not user-friendly.
Sequential integer ID (e.g., Founder #127)
Simple, zero collision risk. Rejected because it is guessable and enumerable: a bad actor can iterate all Founder IDs, attribute signups to arbitrary Founders, and manipulate referral attribution. Even if attribution has limited monetary value in v1, the principle of not having guessable resource identifiers in a trading-adjacent product applies.
ULID (128-bit, 26 chars, time-sortable)
Better than UUID for readability; still 26 characters. Also encodes a timestamp, which leaks link-creation timing. Rejected on both length and information-leakage grounds.
Revisit when
The Founders cohort target exceeds 1,000,000 users. At that scale, birthday-paradox risk becomes non-negligible and a longer slug should be considered.
The referral link is ever used as a cryptographic token (e.g., carries access rights beyond attribution). At that point, 48 bits is insufficient and 128-bit is the minimum.