Which UUID version do you need?
A UUID is a 128-bit identifier you can generate anywhere without a central server and still expect to be unique. The version number says how it's built:
| Version | Based on | Good for |
|---|---|---|
| v4 | Random | The default — general-purpose unique IDs |
| v1 | Time + MAC address | Legacy; can leak the host and time |
| v7 | Unix time + random | Database keys — sortable by creation time |
This tool produces v4, the right choice for most uses. The odds of two v4 UUIDs colliding are so small you can ignore them in practice.
Gotcha — random UUIDs hurt as primary keys. Because v4 is random, rows insert in no particular order, which fragments clustered indexes (notably in MySQL/InnoDB) and slows large tables. If you need database keys, prefer v7 or a sequential ID; keep v4 for external-facing identifiers.
Reading a UUID
Take 3f2504e0-4f89-41d3-9a0c-0305e82c3301. The first digit of the third group (4) is the version, so this is a v4 (random) UUID. The first digit of the fourth group (9) is the variant field and is normally 8, 9, a or b. So you can identify any UUID's type from that one version digit.
Generating UUIDs in code
// JavaScript (modern browsers & Node)
crypto.randomUUID(); // v4
# Python
import uuid
uuid.uuid4() # random
uuid.uuid1() # time + nodeIf you are choosing identifiers for a high-write database table, reach for v7 rather than v4: its millisecond time prefix keeps values increasing, so new rows append neatly to the index instead of landing in random positions.
From v1's privacy leak to v7
The UUID versions are a small history of fixing each other's mistakes. v1 encodes a timestamp and the machine's MAC address, which makes it sortable but means a UUID can quietly reveal which computer made it and when — a real privacy leak that surfaced in a famous malware investigation. v4 threw all that out for pure randomness, which fixed the leak and became the default, at the cost of being completely unordered. v7, standardized in 2024's RFC 9562, is the modern compromise: a millisecond timestamp at the front for ordering, random bits for the rest for uniqueness. For most application code v4 is still the right, boring choice; v7 is the one to know about the moment UUIDs become database keys.
Why random UUIDs hurt as primary keys
This is the practical reason v7 exists. A v4 key is random, so each new row lands at a random spot in the table's primary index. On a clustered index — InnoDB in MySQL is the usual victim — that means constant page splits and a cache that's forever thrashing, and on a large, write-heavy table the slowdown is very real. A v7 key increases over time, so new rows append to the end of the index the way an auto-increment integer would, keeping inserts fast while still letting you generate IDs anywhere without a central counter. Storage matters too: a UUID kept as a 36-character string is wasteful next to the 16 bytes it really is, so high-volume tables store it as BINARY(16) (or Postgres's native uuid type) and save both space and index size.
One more judgement call: UUIDs make poor user-facing identifiers. They're long, ugly in a URL, and impossible to read over the phone. If humans will see or type the ID, a shorter scheme is kinder; keep UUIDs for internal and system-to-system use where their "generate anywhere, never collide" property is what you actually want.
What's the difference between v4 and v7, really?
v4 is fully random and unordered. v7 (RFC 9562, 2024) puts a millisecond timestamp first so values sort by creation time, which keeps database indexes happy on write-heavy tables. Use v4 for general IDs, v7 for primary keys.
How should I store a UUID in a database?
For high-volume tables, store the 16 raw bytes (BINARY(16), or Postgres's native uuid type) rather than a 36-character string. It's smaller, and the index is smaller, which matters at scale.
Is a v4 UUID random enough to use as a security token?
It is unpredictable, but it is an identifier, not a credential. For password-reset links or session tokens, use a purpose-built cryptographic random value instead of relying on a UUID.
Are these really random?
Yes. They use the browser's cryptographically secure generator (crypto.randomUUID / getRandomValues), the same source used for security tokens — not Math.random.
Are they generated on a server?
No. Everything happens in your browser, so the same UUID is never seen by anyone but you.
What's the nil UUID?
All zeros (00000000-0000-0000-0000-000000000000). It's a placeholder meaning "no UUID", not something you'd generate as a real ID.