2 min read
What Is a UUID and When Should You Use One?
UUIDs explained in plain English: what the 36 characters mean, why collisions are practically impossible, v4 vs other versions, and when not to use them.
The 36 characters, decoded
A UUID (Universally Unique Identifier, also called a GUID in Microsoft ecosystems) is a 128-bit value written as 32 hexadecimal characters in five dash-separated groups: 8-4-4-4-12, like f47ac10b-58cc-4372-a567-0e02b2c3d479. The format is standardized by RFC 4122, so a UUID generated on any system is understood by every other.
Two positions carry meaning. The first character of the third group is the version number — a 4 there means version 4, the random kind. The first character of the fourth group encodes the 'variant,' which for standard UUIDs is 8, 9, a, or b. Everything else in a v4 UUID is random: 122 bits of it.
Why collisions are practically impossible
The point of a UUID is that anyone can generate one, anywhere, with no coordination, and be confident it's unique. With 122 random bits there are about 5.3 undecillion (5.3 × 10³⁶) possible v4 UUIDs. To reach even a 50% chance of a single collision, you'd need to generate roughly a billion UUIDs per second for about 85 years.
This is why distributed systems love UUIDs: two servers, two apps, or two offline devices can create IDs simultaneously and merge their data later without conflicts — no central counter, no database round-trip, no locking.
The versions, briefly
Version 4 (pure random) is the default choice and what browsers generate natively via crypto.randomUUID(). Version 1 embeds a timestamp and historically the machine's MAC address — sortable, but it leaks when and where it was made, which is why it's fallen out of favor. Versions 3 and 5 are deterministic: they hash a name within a namespace, so the same input always yields the same UUID, useful for stable IDs derived from existing data.
The newer version 7 combines a millisecond timestamp with random bits, giving IDs that sort by creation time — a meaningful advantage for database primary keys, where fully random v4 keys scatter inserts across an index and hurt performance at scale. Rule of thumb: v4 for general use, v7 when IDs will be a sorted database key.
When a UUID is the wrong tool
UUIDs are 36 characters — ugly in URLs, impossible to read over the phone, and four times the storage of an integer. For user-facing references like order numbers or short links, a shorter human-friendly code is kinder. For a single database with one writer, a plain auto-incrementing integer remains simpler and faster.
And a UUID is an identifier, not a secret. Although v4 UUIDs are generated from a cryptographic source, treating them as passwords or session tokens conflates identification with authentication — use purpose-built tokens for security contexts.
Frequently asked questions
Are UUID and GUID the same thing?
Yes — GUID (Globally Unique Identifier) is Microsoft's name for the same RFC 4122 format. The terms are interchangeable.
Does capitalization matter in a UUID?
No. The hex digits are case-insensitive, and RFC 4122 recommends lowercase for output. Compare them case-insensitively to be safe.
Can I shorten a UUID?
You can re-encode the same 128 bits more compactly (base64url gets it to 22 characters), but truncating a UUID discards randomness and reintroduces collision risk. If you need short IDs, generate short IDs deliberately rather than cutting UUIDs.
Tools mentioned in this guide
Keep reading