What is a UUID?
What UUIDs are, how they're generated, the different versions, and when to use them instead of sequential IDs.
What is a UUID?
A UUID (Universally Unique Identifier) is a 128-bit label used to uniquely identify information without requiring a central authority to coordinate assignment. They look like this:
550e8400-e29b-41d4-a716-446655440000
That's 32 hexadecimal characters split into five groups by hyphens (8-4-4-4-12). The format is defined by RFC 4122 and is the same across all UUID versions.
The total number of possible UUIDs is 2¹²⁸ — about 340 undecillion (3.4 × 10³⁸). Even generating a billion UUIDs per second, it would take billions of years to exhaust the space. In practice, collisions are statistically impossible.
UUID versions
There are five standardized UUID versions plus newer additions. The version number appears as the first digit of the third group (the 4 in 41d4):
Version 1 — timestamp + MAC address
Generated from the current timestamp and the network card's MAC address. Globally unique but reveals when and where it was created — a privacy concern. Rarely used in new systems.
Version 3 — MD5 hash
Deterministically generated by hashing a namespace and a name with MD5. Given the same inputs, you always get the same UUID. Useful for stable IDs derived from known values (e.g., a URL → UUID mapping).
Version 4 — random (most common)
122 bits of cryptographically random data. No structure, no timestamp, no machine info. This is the version you should use by default — it's what most UUID generators produce.
Version 5 — SHA-1 hash
Like v3 but uses SHA-1 instead of MD5. Preferred over v3 when you need deterministic UUIDs. DNS, URL, OID, and X.500 are the defined namespaces.
Version 7 — time-ordered random (new)
RFC 9562 (2024) added v7: a Unix millisecond timestamp in the high bits, followed by random bits. Lexicographically sortable, database-friendly, and privacy-safe. Growing fast in adoption for database primary keys.
Generating UUIDs in code
Every major language has a built-in or widely-used library for UUID generation:
// JavaScript / Node.js (built-in since Node 19 / Web Crypto API)
const id = crypto.randomUUID()
// "4f9dac6e-8b3a-4c1d-b5f7-3e9a1c2d8f0e"
// Node.js (uuid package — v4 or v7)
import { v4 as uuidv4, v7 as uuidv7 } from 'uuid'
uuidv4() // random
uuidv7() // time-ordered
// Python
import uuid
str(uuid.uuid4())
# "b3d8c2f1-7a4e-4b9d-a1c3-5e2f8d9b0c7a"
// Go
import "github.com/google/uuid"
id := uuid.New().String()
// PostgreSQL (built-in)
SELECT gen_random_uuid();UUID vs sequential IDs
Auto-incrementing integers (1, 2, 3 …) are the default in most databases. UUIDs are an alternative with different tradeoffs:
Use UUIDs when:
- — You need IDs that are safe to expose publicly (sequential IDs let users enumerate records)
- — You're merging data from multiple databases or services
- — Clients need to generate IDs before hitting the server (offline-first, optimistic UI)
- — You want to avoid exposing record volume or growth rate to competitors
Stick with sequential IDs when:
- — Storage and index size matter (8 bytes vs 16 bytes)
- — You need human-readable, typeable IDs
- — Write performance on large B-tree indexes is critical (random UUIDs cause page fragmentation — use v7 to mitigate)
Storage formats
UUIDs are commonly stored in three formats:
-- Standard string (36 chars) "550e8400-e29b-41d4-a716-446655440000" -- Without hyphens (32 chars) "550e8400e29b41d4a716446655440000" -- Binary (16 bytes) — most compact, used by MySQL's UUID_TO_BIN() 0x550e8400e29b41d4a716446655440000
PostgreSQL has a native uuid column type that stores 16 bytes internally while displaying in the standard hyphenated format. MySQL and SQLite typically use CHAR(36) or BINARY(16).
Frequently asked questions
- Can two UUIDs ever be the same?
- Theoretically yes, but the probability is so small it's irrelevant in practice. For v4, 122 bits are random. You would need to generate roughly 2.7 × 10¹⁸ UUIDs before having a 50% chance of a single collision. Every system that needs uniqueness treats them as collision-proof.
- Is UUID the same as GUID?
- Yes. GUID (Globally Unique Identifier) is Microsoft's name for the same concept — it follows the same RFC 4122 format. The terms are interchangeable.
- Are UUIDs case-sensitive?
- No. The hex characters a–f can be upper or lowercase — "550E8400..." and "550e8400..." represent the same UUID. Most systems normalize to lowercase.
- Should I use v4 or v7 for database primary keys?
- v7 if your database supports it. v4 UUIDs are fully random, which causes index fragmentation in B-tree indexes on large tables (each insert lands at a random position). v7 UUIDs are time-ordered, so they insert at the end like sequential IDs, preserving index locality. For new projects on modern databases, v7 is the better default.