A UUID (Universally Unique Identifier) is a 128-bit identifier, typically displayed as a 32-character hexadecimal string in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. You have almost certainly encountered UUIDs in APIs, databases, file systems, and URLs. Understanding what they are, why they exist, and when to use them is essential knowledge for any software developer.
> Generate one now: Use our free [UUID Generator](/tools/uuid-generator) to create cryptographically random v4 UUIDs instantly — no signup, no install.
What Does a UUID Look Like?
A standard UUID looks like this: 550e8400-e29b-41d4-a716-446655440000
It consists of five groups of hexadecimal digits, separated by hyphens: 8-4-4-4-12 characters. This format is specified in RFC 4122, the UUID standard.
The total number of possible UUIDs in version 4 (random) is 2¹²², or approximately 5.3×10³⁶. If you generated one billion UUIDs per second for the entire age of the universe, you would still have used only a tiny fraction of the available space. Collisions are theoretically possible but practically impossible.
UUID Versions Explained
Advertisement
The UUID standard defines five versions, each generated differently:
Version 1 (Time-based): Generated using the current timestamp and the MAC address of the machine generating it. Chronologically sortable, but including the MAC address can be a privacy concern.
Version 2 (DCE Security): Similar to v1 but includes POSIX UID/GID information. Rarely used in modern applications.
Version 3 (Name-based, MD5): Generated by hashing a namespace UUID and a name using MD5. Produces the same UUID for the same name in the same namespace — useful for deterministic IDs.
Version 4 (Random): Generated using cryptographically random numbers. By far the most commonly used version. When people say "UUID," they almost always mean UUIDv4.
Version 5 (Name-based, SHA-1): Like v3 but uses SHA-1 instead of MD5. Preferred over v3 for new applications.
Why Use UUIDs Instead of Sequential IDs?
The traditional approach to database IDs is auto-incrementing integers (1, 2, 3...). This is simple and efficient, but has significant limitations:
Enumeration attacks: Sequential IDs expose your data structure. If a user can access /api/orders/1001, they may try /api/orders/1002 to access someone else's order. UUIDs do not have this problem.
Distributed systems: In a system with multiple databases or microservices, sequential IDs conflict — two services might both generate ID 5000. UUIDs can be generated independently without coordination.
Data merging: When migrating or merging databases, sequential integer IDs from two sources will conflict. UUID-identified records can be merged without any ID changes.
No information leakage: Sequential IDs reveal how many records exist and roughly when a record was created. UUID v4 reveals nothing.
Downsides of UUIDs
Storage size: A UUID takes 16 bytes as binary or 36 characters as text. An integer takes 4–8 bytes. This difference matters at scale — a table with 100 million UUIDs will have significantly larger indexes.
Readability: user_id=7 is easier to discuss in a meeting than user_id=550e8400-e29b-41d4-a716-446655440000.
Index performance: Random UUIDs (v4) cause index fragmentation in B-tree indexes because new values are inserted randomly rather than at the end. This degrades insert performance at very high scale.
ULIDs: A Modern Alternative
ULID (Universally Unique Lexicographically Sortable Identifier) is a newer alternative that addresses UUID's index performance problem. A ULID encodes the current timestamp in the first 48 bits and randomness in the remaining 80 bits, making it sortable by creation time while still being highly unique. ULIDs produce 26-character strings like 01ARZ3NDEKTSV4RRFFQ69G5FAV.
When to Use UUIDs
Use UUIDs for:
- Public-facing IDs in APIs (never expose sequential integers externally)
- Distributed or multi-tenant systems where IDs are generated across multiple services
- User IDs, session tokens, and device IDs where privacy and unpredictability matter
- Files and uploads — UUID-named files avoid conflicts in storage systems
Consider alternatives for:
- High-frequency insert tables where index performance is critical (consider ULID)
- Customer-facing order numbers that users need to reference (use short, human-friendly codes)
- Internal join tables with very high row counts (integers may perform better)
Generating UUIDs in Code
// Node.js (built-in since v15.6)
const { randomUUID } = require('crypto')
const id = randomUUID()
// Browser
const id = crypto.randomUUID()import uuid id = str(uuid.uuid4())
Or simply [generate one instantly with our UUID Generator](/tools/uuid-generator) — useful for testing, configuration, and development workflows.
UUID Namespaces for Deterministic IDs
UUID versions 3 and 5 accept a namespace and a name, always producing the same UUID for the same combination. This is useful for generating stable IDs for known entities:
import uuid # Always produces the same UUID for this email user_id = str(uuid.uuid5(uuid.NAMESPACE_DNS, 'alice@example.com'))
For more on cryptographic hash functions used in UUID generation, see our [MD5 vs SHA-256 guide](/blog/md5-sha256-difference).
Frequently Asked Questions
Q: What is the difference between UUID v4 and UUID v1?
UUID v4 is completely random — it contains no identifiable information. UUID v1 includes the timestamp and MAC address of the generating machine, making it sortable but potentially revealing private information. For most use cases, v4 is the safer and more common choice.
Q: Can two UUIDs ever be identical?
Theoretically yes, but the probability is astronomically small. With UUID v4, there are 2¹²² possible values. You would need to generate quintillions of UUIDs before a collision becomes statistically likely.
Q: Should I store UUIDs as strings or binary in my database?
Binary (16 bytes) is more storage-efficient and faster to index than text (36 characters). Most modern databases have a dedicated UUID column type (PostgreSQL's uuid, MySQL's BINARY(16)) that stores them efficiently.
Q: What is UUID v7 and when should I use it?
UUID v7 is a newer version (proposed in 2022) that encodes a millisecond-precision timestamp in the first bits, making UUIDs sortable by creation time while remaining unique. It combines the sortability of v1 with the randomness of v4, making it excellent for database primary keys.
Conclusion
UUIDs are a fundamental tool for building robust, secure, and scalable systems. Understanding the differences between UUID versions and knowing when UUIDs are the right choice will help you make better architectural decisions. [Use ToolHub's UUID Generator](/tools/uuid-generator) to create cryptographically random v4 UUIDs instantly — perfect for testing, configuration, or development.