It looks like that auth0 code requires a Cryptographically Secure Pseudo Random Number Generator (CSPRNG).

DO NOT IMPLEMENT THAT YOURSELF

CSPRNGs have a very specific purpose which is chiefly, to be completely unpredictable. If you use a regular pseudo random number generator (PRNG) where a CSPRNG belongs, you can easily compromise your application's security. In fact, malware analysts/antivirus companies are sometimes able to reverse the effect of ransomware and recover the encrypted files due to this very error by the malware authors.

Since this code seems to require a CSPRNG, I would only use a proper CSPRNG.

Read more.

Also, see the "Remarks" section of the (msdn.microsoft.com/en-us/library/windows/desktop/…).aspx) of MSDN.

I'm not exactly sure what you are doing, but random numbers for authentication needs to be good random numbers, not just any random stuff. As Todd mentioned, it should require CSPRNG. And furthermore, if it's a number used for security/authenticity, it's usually not a good idea to rely on the client when it's meant to be the source of truth. (you're moving the trust from your server to the client!)

Here's a very recommended reading as soon as key/CPSRNG/encryption is involved if you're not sure about all the concepts: What devs need to know about Encoding / Encryption / Hashing / Salting / Stretching

And this gist is a good small refresher gist.github.com/joepie91/7105003c3b26e65efcea63f3…

Something like this? And then change length and possible to the desired rng length and complexity.

function rng(){
    let uID = '';
        let length = 8;
    let possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    for (let i = 0; i < length; i++) {
        uID += possible.charAt(Math.floor(Math.random() * possible.length));
    }
    return uID;
}

Since client side code is NEVER secure, to what purpose would generating it client-side even serve except to CREATE a security hole?

This isn't even a question you should be asking! You don't generate this stuff client side since any grade school script kiddie with greasemonkey or tampermonkey installed can slap around your JavaScript like a whore that's not paying out a full cut to her pimp.

Client side code IS NOT SECURE, so it really doesn't matter how random whatever you generate is, it's USELESS.