Skip to main content
A Warp Code is the human-readable token that two peers exchange to establish a direct WebRTC connection in HashDrop. Instead of sharing a URL or a UUID, you share a short phrase like COSMIC-FALCON. The code is ephemeral, single-use, and generated without any server involvement.

What a Warp Code is

Every Warp Code follows the ADJECTIVE-NOUN format — two uppercase words joined by a hyphen. Examples: STELLAR-PHOENIX, NEON-VORTEX, ARCTIC-KRAKEN. When a sender drops a file or opens a session, HashDrop generates a fresh Warp Code and registers it on the PeerJS signaling server. The receiver types the same code into their client. The signaling server matches the two peers, facilitates the WebRTC handshake, and then steps away. From that point on, data flows directly between the two browsers.

How Warp Codes are generated

Warp Codes are produced entirely in the browser using the Web Crypto API. No server generates or stores the code — the browser creates it locally and registers it with the signaling server only to make the two peers discoverable to each other.

Secure random index selection

The selection of each word from the adjective and noun lists is driven by crypto.getRandomValues, which reads from the operating system’s cryptographically secure random number generator: 
/**
 * Generate a secure random index using Web Crypto API
 */
function getSecureRandomIndex(max: number): number {
  if (typeof window === 'undefined') {
    // Fallback for SSR
    return Math.floor(Math.random() * max)
  }
  
  const randomBuffer = new Uint32Array(1)
  window.crypto.getRandomValues(randomBuffer)
  return randomBuffer[0] % max
}
A Uint32Array of length 1 is filled with a random 32-bit integer. The modulo operation maps it to a valid list index.

Code assembly

generateSecureCode calls getSecureRandomIndex twice — once for the adjective list, once for the noun list — and concatenates the results: 
/**
 * Generate a Warp Code with format: "ADJECTIVE-NOUN"
 * Example: "COSMIC-FALCON", "STELLAR-PHOENIX"
 */
export function generateSecureCode(): string {
  const adjIndex = getSecureRandomIndex(ADJECTIVES.length)
  const nounIndex = getSecureRandomIndex(NOUNS.length)
  
  return `${ADJECTIVES[adjIndex].toUpperCase()}-${NOUNS[nounIndex].toUpperCase()}`
}

Code validation

Before any connection attempt, the client checks that the entered code matches the expected format using isValidCode: 
/**
 * Validate code format
 */
export function isValidCode(code: string): boolean {
  return /^[A-Z]+-[A-Z]+$/.test(code)
}
Only codes that pass this check are forwarded to the signaling server.

Entropy

The adjective list contains 80 words and the noun list contains 80 words, giving 6,400 unique combinations (80 × 80). The lists were deliberately expanded from 40 × 40 to increase entropy — the source comments this explicitly (// SECURITY: Added 40 more adjectives to increase entropy (80 total)). Because each index is chosen independently with crypto.getRandomValues, an attacker cannot predict which code will be generated next.

Security properties

5-minute expiry

The codeExpiry field in the Warp store holds a Unix timestamp set at code generation time. Codes that have passed their expiry are rejected by the client before any network request is made. You have 5 minutes from code generation to share it and establish a connection.
The 5-minute window starts when the code is generated on the sender’s side, not when the receiver first sees it. Share the code promptly.

Single-connection constraint

The signaling server enforces that only the first peer to present a given code can connect to the session. Any subsequent attempt with the same code is rejected. This prevents a third party who intercepts or guesses the code from joining an in-progress or completed session.

Peer ID mapping

A Warp Code maps deterministically to a PeerJS peer ID. The mapping is one-way and namespaced to prevent collisions with other PeerJS sessions: 
/**
 * Convert display code to PeerJS ID
 * Example: "COSMIC-FALCON" → "sr-warp-cosmic-falcon"
 */
export function codeToPeerId(displayCode: string): string {
  return `sr-warp-${displayCode.toLowerCase()}`
}

/**
 * Convert display code to PeerJS ID for video calls
 * Example: "COSMIC-FALCON" → "sr-call-cosmic-falcon"
 */
export function codeToCallPeerId(displayCode: string): string {
  return `sr-call-${displayCode.toLowerCase()}`
}
File transfer sessions use the sr-warp- prefix; video call sessions use sr-call-. This means a single Warp Code can establish both a data channel and a call channel simultaneously without namespace conflicts.
Never share a Warp Code with anyone except the intended recipient. The first person to enter a valid, unexpired code connects — there is no additional authentication step after that.

Build docs developers (and LLMs) love

Get started for freeTalk to us