gwp_generate_token
The gwp_generate_token merge tag for Gravity Forms is designed to generate a random token with customizable attributes such as length and character set.
How to Use the gwp_generate_token Merge Tag
The gwp_generate_token merge tag has the following possible parameters (default values are shown here):
{gwp_generate_token charset='AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1234567890' length='16' prefix='' postfix='' unique='false' retries='10'}Charset Parameter
Defines the set of characters that can be used to generate the token. By default this character set is used:
AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1234567890Length Parameter
Specifies the length of the generated token. This must be an integer with a minimum value of 8. If the provided length is less than 8 or not an integer, an error will be returned.
Prefix Parameter
Adds a specified prefix to the generated token.
Postfix Parameter
Adds a specified postfix to the generated token.
Unique Parameter
Determines whether the generated token should be unique. by default this is ‘false‘. When set to ‘true', the generated token will be checked for uniqueness against the entry_meta and draft_submissions database table. This will make sure there is no (draft) entry with this value at the moment the token is generated. Up to 10 attempts (or as specified in the retry parameter) will be made to ensure uniqueness before returning an error if unsuccessful.
Important note: this check for uniqueness might put a heavy load on your database if you have a very large number of entries, use it with care.
Retries Parameter
Allows to change the number of retries to achieve uniqueness.
Examples
| Example Usage | Expected Output |
|---|---|
| {gwp_generate_token} | A random token of 16 characters using the default character set. |
| {gwp_generate_token length=12} | A random token of 12 characters using the default character set. |
| {gwp_generate_token charset=ABC123 length=10} | A random token of 10 characters using only A, B, C, 1, 2, 3. |
| {gwp_generate_token length=20 unique=true} | A random token of 20 characters ensured to be unique. |
| {gwp_generate_token prefix=PRE_} | A random token prefixed with “PRE_”. |
| {gwp_generate_token postfix=_POST} | A random token postfixed with “_POST”. |
Frequently Asked Questions
The gwp_generate_token merge tag generates a random, secure token when someone submits a form. You can control the token’s length, allowed characters, and even make it unique. It’s perfect for things like access codes, magic links, or user verification.
You can use this tag in hidden fields, confirmation messages, email notifications, or any merge-tag-supported location.
Example:{gwp_generate_token length=16}
This creates a random 16-character token like:
f3K8LmQp92WzXaN7
Yes! You can change how the token looks using the available parameters. You can set a prefix, postfix, or even choose the characters used. This is helpful if you want the token to include branding or follow a certain pattern.
Example:{gwp_generate_token prefix=USER_ postfix=_2025 length=12}
Might return:
USER_AkL29Qx7TnF_2025
To ensure that no two form entries ever get the same token, set unique=true. Gravity Forms will check all existing entries and retry several times (default is 10) to create a unique one.
Example:{gwp_generate_token length=20 unique=true}
This guarantees the token hasn’t been used in any previous entry.
Important note: this check for uniqueness might put a heavy load on your database if you have a very large number of entries, use it with care.
The minimum allowed length is 8 characters. If you enter a value smaller than 8 or something that’s not a number, the merge tag will return an error and won’t generate a token.
Example (invalid):{gwp_generate_token length=5}
This won’t work. Instead, use at least:{gwp_generate_token length=8}
You can use it anywhere that supports merge tags inside Gravity Forms. This includes:
-Hidden field default values
-Confirmation messages
-Notification emails
-Redirect URLs
-HTML fields
-Integrations like Webhooks or PDFs
Example inside a confirmation message:Thanks for registering! Your access code is: {Access Code:2}
(Assuming you stored the token in a hidden field called “Access Code” with Field ID 2)
Last updated: 18-07-2025
