UUID Guide: Types and Generation

What Is a UUID?

A UUID (Universally Unique Identifier) is a 128-bit value used to uniquely identify information in computer systems. Also known as a GUID (Globally Unique Identifier) in Microsoft ecosystems, UUIDs are designed to be unique across all systems without requiring a central authority to coordinate the assignment.

A typical UUID looks like this: 550e8400-e29b-41d4-a716-446655440000. The 32 hexadecimal digits are displayed in five groups separated by hyphens, following the pattern 8-4-4-4-12.

UUIDs are everywhere in modern software: database primary keys, API identifiers, session tokens, distributed system message IDs, and file identifiers. Their ubiquity stems from a crucial property: you can generate them independently on any machine and be virtually certain they will not collide with UUIDs generated anywhere else.

UUID Versions Explained

The UUID standard defines several versions, each using a different generation strategy:

Version 1 (Time-based): Combines a timestamp with the MAC address of the generating machine. This ensures uniqueness by tying the ID to a specific time and place. The downside is that it leaks information about when and where it was created.

Version 2 (DCE Security): A variant of Version 1 that incorporates POSIX user and group IDs. Rarely used in practice and not widely supported.

Version 3 (Name-based, MD5): Generates a UUID from a namespace identifier and a name by hashing them with MD5. The same namespace and name always produce the same UUID, making it deterministic and reproducible.

Version 4 (Random): Generated from random or pseudo-random numbers. This is the most commonly used version because it is simple, requires no coordination, and does not leak any information. The probability of collision is astronomically low.

Version 5 (Name-based, SHA-1): Like Version 3 but uses SHA-1 instead of MD5 for hashing. Preferred over Version 3 when deterministic generation from a name is needed, since SHA-1 is a stronger hash function.

Version 7 (Time-ordered): A newer addition that embeds a Unix timestamp in the first 48 bits, followed by random data. This provides the benefits of random UUIDs while maintaining chronological sortability, making it excellent for database primary keys.

Choosing the Right UUID Version

Your use case determines which version to choose:

• Need a unique ID with no special requirements? Use Version 4. It is the default choice for most applications.
• Need deterministic IDs from known inputs? Use Version 5. Given the same namespace and name, you always get the same UUID.
• Need sortable IDs for database keys? Use Version 7. The embedded timestamp means newer records sort after older ones, which improves database index performance.
• Need to avoid exposing timestamps? Use Version 4. Random generation reveals nothing about when the ID was created.
• Need time-based IDs? Use Version 1 if you are comfortable exposing MAC address information, or Version 7 for a modern alternative.

UUID vs Other Identifier Formats

UUIDs are not the only option for unique identifiers. Here is how they compare:

• Auto-incrementing integers: Simple and compact but only unique within a single database. They expose information about record count and creation order. Not suitable for distributed systems.
• NanoID: Shorter than UUIDs, URL-friendly, and configurable alphabet. Popular in frontend applications where shorter IDs are preferred.
• ULID: Lexicographically sortable, Crockford Base32 encoded, and compatible with UUID. Similar goals to UUID v7 but with a different encoding.
• Snowflake IDs: Used by Twitter and Discord. 64-bit integers that encode timestamp, machine ID, and sequence number. More compact than UUIDs but require coordination for machine ID assignment.
• CUID: Collision-resistant identifiers designed for horizontal scaling. Good for distributed systems but less standardized than UUIDs.

UUIDs in Databases

When using UUIDs as database primary keys, consider these trade-offs:

Advantages:

• Safe to generate on the application side without database round-trips
• Enable data merging from multiple sources without ID conflicts
• Do not reveal record counts or creation order (Version 4)
• Work naturally in distributed and microservice architectures

Challenges:

• 128 bits is larger than a 32-bit or 64-bit integer, consuming more storage and memory
• Random UUIDs (Version 4) cause index fragmentation in B-tree indexes because they are not sequential
• Harder to communicate verbally or type manually compared to short integers

Version 7 UUIDs address the index fragmentation problem by being time-ordered while retaining the other benefits of UUIDs.

UUID Validation and Formatting

A valid UUID matches the regex pattern:

^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$

Conventions and best practices for UUID formatting:

• Lowercase hexadecimal: While technically case-insensitive, lowercase is the convention. Store and compare UUIDs in lowercase.
• Include hyphens: The canonical format includes hyphens. Some systems strip them for storage efficiency, but display them in user-facing contexts.
• Store as binary when possible: In databases, store UUIDs as native UUID types or 16-byte binary fields rather than 36-character strings. This saves storage and improves query performance.

A UUID generator is useful for quickly creating test IDs, populating seed data, or generating identifiers for configuration files.

Security Considerations

UUIDs are identifiers, not security tokens:

• Version 1 UUIDs reveal the creation time and MAC address of the generating machine. Do not use them where this information should be private.
• Version 4 UUIDs are random but not cryptographically secure by default in all implementations. If you need unguessable tokens for security purposes (like password reset links), use a cryptographically secure random generator, not a standard UUID library.
• UUIDs are not secrets: Treat them as public identifiers. If knowing a UUID grants access to a resource, you need additional authorization checks, not longer UUIDs.

For secure token generation, use dedicated functions like crypto.randomUUID() in modern JavaScript or secrets.token_urlsafe() in Python, which are backed by cryptographic random sources.

Try our free UUID Generator — no signup required.