UtilityBase logoUtilityBase

2 min read

What Is a UUID and When Should You Use One?

UUIDs explained in plain English: what the 36 characters mean, why collisions are practically impossible, v4 vs other versions, and when not to use them.

The 36 characters, decoded

A UUID (Universally Unique Identifier, also called a GUID in Microsoft ecosystems) is a 128-bit value written as 32 hexadecimal characters in five dash-separated groups: 8-4-4-4-12, like f47ac10b-58cc-4372-a567-0e02b2c3d479. The format is standardized by RFC 4122, so a UUID generated on any system is understood by every other.

Two positions carry meaning. The first character of the third group is the version number — a 4 there means version 4, the random kind. The first character of the fourth group encodes the 'variant,' which for standard UUIDs is 8, 9, a, or b. Everything else in a v4 UUID is random: 122 bits of it.

Why collisions are practically impossible

The point of a UUID is that anyone can generate one, anywhere, with no coordination, and be confident it's unique. With 122 random bits there are about 5.3 undecillion (5.3 × 10³⁶) possible v4 UUIDs. To reach even a 50% chance of a single collision, you'd need to generate roughly a billion UUIDs per second for about 85 years.

This is why distributed systems love UUIDs: two servers, two apps, or two offline devices can create IDs simultaneously and merge their data later without conflicts — no central counter, no database round-trip, no locking.

The versions, briefly

Version 4 (pure random) is the default choice and what browsers generate natively via crypto.randomUUID(). Version 1 embeds a timestamp and historically the machine's MAC address — sortable, but it leaks when and where it was made, which is why it's fallen out of favor. Versions 3 and 5 are deterministic: they hash a name within a namespace, so the same input always yields the same UUID, useful for stable IDs derived from existing data.

The newer version 7 combines a millisecond timestamp with random bits, giving IDs that sort by creation time — a meaningful advantage for database primary keys, where fully random v4 keys scatter inserts across an index and hurt performance at scale. Rule of thumb: v4 for general use, v7 when IDs will be a sorted database key.

When a UUID is the wrong tool

UUIDs are 36 characters — ugly in URLs, impossible to read over the phone, and four times the storage of an integer. For user-facing references like order numbers or short links, a shorter human-friendly code is kinder. For a single database with one writer, a plain auto-incrementing integer remains simpler and faster.

And a UUID is an identifier, not a secret. Although v4 UUIDs are generated from a cryptographic source, treating them as passwords or session tokens conflates identification with authentication — use purpose-built tokens for security contexts.

Frequently asked questions

Are UUID and GUID the same thing?

Yes — GUID (Globally Unique Identifier) is Microsoft's name for the same RFC 4122 format. The terms are interchangeable.

Does capitalization matter in a UUID?

No. The hex digits are case-insensitive, and RFC 4122 recommends lowercase for output. Compare them case-insensitively to be safe.

Can I shorten a UUID?

You can re-encode the same 128 bits more compactly (base64url gets it to 22 characters), but truncating a UUID discards randomness and reintroduces collision risk. If you need short IDs, generate short IDs deliberately rather than cutting UUIDs.

Tools mentioned in this guide

Keep reading