Every application that stores data needs a way to uniquely identify things. Whether you are building a database, designing an API, or managing files across distributed systems, you need identifiers that won't clash. UUIDs — Universally Unique Identifiers — solve this problem elegantly by generating IDs that are practically guaranteed to be unique without any central coordination.
This guide walks you through everything you need to know about UUID generators: the different versions, when to use each one, how to generate them in various programming languages, and best practices for production systems.
What Is a UUID?
A UUID is a 128-bit number, typically represented as a 36-character string in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. For example:
550e8400-e29b-41d4-a716-446655440000
The standard is defined in RFC 4122, with newer versions like UUID v7 introduced in RFC 9562. The key advantage of UUIDs is that any system can generate them independently without checking a central registry, and the probability of collision is vanishingly small.
Fun fact: The theoretical probability of generating a duplicate UUID v4 is roughly 1 in 5.3 × 10^36. You would need to generate 103 trillion UUIDs before having a 50% chance of even a single collision.
UUID Versions Explained
Not all UUIDs are created equal. Each version uses a different generation strategy, and choosing the right one matters for performance, security, and database efficiency.
| Version | Method | Sortable? | Best For |
|---|
| v1 | Timestamp + MAC address | Yes (time-based) | Legacy systems |
| v3 | MD5 hash of namespace + name | No | Deterministic IDs from names |
| v4 | Random | No | General purpose, security tokens |
| v5 | SHA-1 hash of namespace + name | No | Deterministic IDs (preferred over v3) |
| v7 | Unix timestamp + random | Yes (time-ordered) | Databases, distributed systems |
UUID v1 — Time-Based
UUID v1 combines the current timestamp with the generating machine's MAC address (or a random node ID). This makes them time-sortable but introduces a privacy concern since the MAC address is embedded. Most modern applications avoid v1 in favor of v4 or v7.
UUID v4 — Random
UUID v4 generates 122 random bits (with 6 bits reserved for version and variant). It is the most widely used version and is excellent for general-purpose identifiers, security tokens, and session IDs. The downside: random UUIDs create index fragmentation in databases because they scatter across the keyspace.
UUID v5 — Name-Based (SHA-1)
UUID v5 produces a deterministic identifier by hashing a namespace UUID and a name string with SHA-1. Given the same namespace and name, you always get the same UUID. This is useful for generating consistent IDs from natural keys, like converting a user's email into a fixed identifier.
UUID v7 — Time-Ordered (Modern Favorite)
UUID v7, defined in RFC 9562 (2024), combines a Unix timestamp millisecond with random bits. This gives you the uniqueness of UUIDs with the index-friendliness of auto-incrementing IDs. It is rapidly becoming the recommended default for new applications, especially those using PostgreSQL or other B-tree-indexed databases.
How to Generate UUIDs
Online UUID Generator
The fastest way to generate a UUID is through an online tool. Risetop's UUID Generator lets you create single or bulk UUIDs in any version, copy them with one click, and choose formats (uppercase, no hyphens, etc.). No installation or coding required.
JavaScript / Node.js
// Node.js (built-in, v19+)
const { randomUUID } = require('crypto');
console.log(randomUUID()); // "550e8400-e29b-41d4-a716-446655440000"
// Browser
console.log(crypto.randomUUID());
// With the 'uuid' npm package
const { v4: uuidv4, v7: uuidv7 } = require('uuid');
console.log(uuidv4()); // random
console.log(uuidv7()); // time-ordered
Python
import uuid
print(uuid.uuid4()) # random
print(uuid.uuid5(uuid.NAMESPACE_DNS, 'example.com')) # name-based
# For UUID v7, use: pip install uuid6
from uuid6 import uuid7
print(uuid7()) # time-ordered
Java
import java.util.UUID;
UUID id = UUID.randomUUID();
System.out.println(id.toString());
// Java 21+ doesn't have built-in v7 yet, use:
// UUID.fromString("0190a6e7-3b8c-7d4f-8e1a-2b3c4d5e6f70");
Go
package main
import (
"fmt"
"github.com/google/uuid"
)
func main() {
id := uuid.New()
fmt.Println(id.String())
// UUID v7 (google/uuid v5.6+)
v7 := uuid.NewV7()
fmt.Println(v7.String())
}
UUID Format Variants
While the standard format uses lowercase hex with hyphens, you may encounter or need several variations:
- Standard:
550e8400-e29b-41d4-a716-446655440000
- Uppercase:
550E8400-E29B-41D4-A716-446655440000
- No hyphens:
550e8400e29b41d4a716446655440000
- URN notation:
urn:uuid:550e8400-e29b-41d4-a716-446655440000
- Base64 encoded:
VQ6EQAopQdSnFkRGVUQAAA==
Most databases store UUIDs in their standard 36-character string form or as a native binary type. PostgreSQL has a dedicated UUID column type, and MySQL supports it as of version 8.0.
Real-World Use Cases
Database Primary Keys
UUIDs are increasingly popular as primary keys in distributed architectures. They allow you to generate IDs on the client side before sending data to the server, eliminating the need for a round-trip to get an auto-incremented ID. UUID v7 is particularly well-suited here because its time-ordered structure prevents the index fragmentation that plagues UUID v4.
API Request Tracking
Attach a UUID to every API request for end-to-end tracing. When a request flows through multiple microservices, each service can log the same correlation ID, making it trivial to trace the full lifecycle of a request in your observability tools.
File and Object Storage
Use UUIDs as file names in object storage (S3, GCS, Azure Blob) to avoid collisions and name-guessing attacks. Instead of naming a file avatar.png, name it 550e8400-e29b-41d4-a716-446655440000.png.
Security Tokens
UUID v4's randomness makes it suitable for password reset tokens, session identifiers, email verification links, and one-time use tokens. While not cryptographically vetted like a dedicated token, UUID v4 provides sufficient entropy for most non-critical security scenarios.
Best Practices
- Prefer UUID v7 for databases — time-ordered UUIDs dramatically reduce index fragmentation and improve write performance in B-tree indexed tables.
- Use UUID v4 for security tokens — pure randomness is what you want for tokens, session IDs, and one-time links.
- Store as native UUID type — PostgreSQL's
UUID type stores UUIDs in 16 bytes instead of 36 bytes for text. Always use the native type when available.
- Use uppercase or lowercase consistently — don't mix cases in your system. Pick one and stick with it.
- Never parse UUIDs as 64-bit integers — UUIDs are 128-bit. Truncating them destroys uniqueness guarantees.
- Validate before accepting — always validate the format of incoming UUIDs to prevent injection or processing errors.
Frequently Asked Questions
What is a UUID and why do I need one?
A UUID (Universally Unique Identifier) is a 128-bit identifier that is practically guaranteed to be unique across all systems and time. You need UUIDs when you require unique identifiers without centralized coordination — such as database primary keys, distributed system entity IDs, file names, and API request tracking.
What is the difference between UUID v4 and UUID v7?
UUID v4 is entirely random, which is great for security but poor for database indexing because values scatter randomly across the index. UUID v7 embeds a Unix timestamp in the first 48 bits, making it time-ordered and far more efficient for database B-tree indexes while still providing strong uniqueness guarantees.
Can UUIDs collide?
Technically yes, but the probability is astronomically low. For UUID v4 (122 random bits), the chance of a single collision among 103 trillion IDs is about one in a billion. In practice, collisions are effectively impossible unless your random number generator is broken.
Should I use UUIDs or auto-increment IDs in my database?
It depends on your architecture. Use auto-increment IDs for single-database applications where simplicity and index locality matter. Use UUIDs for distributed systems, microservices, or any scenario where entities must be uniquely identifiable across multiple databases or services without coordination.
Is it safe to use UUIDs in URLs?
Yes, UUIDs are URL-safe. Standard UUIDs contain only hex characters (0-9, a-f) and hyphens, all of which are valid in URLs without encoding. Many applications use UUIDs directly in URL paths and query parameters.
Related Tools
Try Our Free UUID Generator
Generate UUID v4, v7, and more — bulk mode, custom formats, one-click copy.
Generate UUIDs Now →