Uvlio

Command Palette

Search for a command to run...

Back to articles
Technical Article

UUIDs Explained: Versions, Randomness, Sorting, and Safe Use

A UUID is a 128-bit identifier designed to be generated without asking a central database for the next number. That makes it useful in distributed systems, local prototypes, imports, offline clients, and test data. But UUIDs are not all the same. Some are random, some are derived from names, some include time information, and some sort better in databases. Choosing a UUID version is really a choice about collision risk, repeatability, privacy, and storage behavior.
Uvlio editorial team by limitcool2026-05-177 min read
Topic coverDeveloperUUID Generator

UUIDs Explained: Versions, Randomness, Sorting, and Safe Use

A technical guide to UUID versions, why v4, v5, and v7 behave differently, and where UUIDs are useful or misleading in application design.

Guide subject preview
Pick version
Generate ID
Check fit
Tool stack
UUID Generator
Reading focus
1Pick version
2Generate ID
3Check fit

Original workflow visual

UUIDs Explained: Versions, Randomness, Sorting, and Safe Use

This original Uvlio visual summarizes the practical path from input inspection to output review for this workflow.
1

Pick version

Review before moving forward

2

Generate ID

Review before moving forward

3

Check fit

Review before moving forward

Maintainer and review note
Maintained by limitcool. Use it to understand the technical model, processing boundaries, privacy risks, and verifiable behavior.
The basic shape of a UUID

The familiar UUID string has 32 hexadecimal characters separated by hyphens, such as 550e8400-e29b-41d4-a716-446655440000. The hyphens are formatting; the underlying value is 128 bits. Some bits identify the version and variant, while the remaining bits carry random data, time-derived data, or hash-derived data depending on the version. Because the space is enormous, random UUIDs can be generated independently with very low collision probability when the random source is strong.

UUID v4 is the classic random choice

Version 4 UUIDs are mostly random. They are easy to understand and good for test records, request IDs, temporary objects, and distributed creation where no coordination is available. Their weakness is ordering. A database index that receives v4 values jumps around because new IDs do not increase over time. That can matter for very large write-heavy tables. For ordinary application data, v4 is still common and practical, but it should not be mistaken for a secret token. An identifier can be hard to guess without being an authentication credential.

UUID v3 and v5 are deterministic

Versions 3 and 5 generate the same UUID when given the same namespace and name. Version 3 uses MD5, while version 5 uses SHA-1. They are useful when stable mapping matters: a namespace plus a product SKU, domain name, file path, or external key can produce repeatable IDs across imports. The tradeoff is predictability. If someone knows the namespace and name scheme, they can compute the same identifiers. Deterministic UUIDs are therefore good for stable references, not for access control.

UUID v7 is designed for time ordering

Version 7 UUIDs combine timestamp information with random bits so newer IDs usually sort after older ones. This makes them attractive for logs, event tables, and databases where insertion order matters. They also remain globally generatable without asking a database for a sequence. The timestamp portion is useful operationally, but it can reveal when an ID was created. That is not always a problem, but it is a real design detail when IDs are public, embedded in URLs, or exposed in customer-facing records.

UUIDs and database performance

Integer sequences are compact and naturally ordered, but they require central coordination and can reveal record counts. UUIDs avoid coordination and are easy to merge across systems, but they are larger and can make indexes less cache-friendly. Time-ordered UUIDs reduce some of the index churn without returning to a central sequence. The right answer depends on the workload. A small product table does not need the same ID strategy as an append-only event store receiving thousands of writes per second.

Do not use UUIDs as passwords

A UUID is an identifier. It is not automatically a session secret, password reset token, API key, or capability URL. Random v4 UUIDs are hard to guess, but security tokens need requirements beyond format: cryptographic randomness, enough entropy, expiration, revocation, storage rules, logging discipline, and clear authorization checks. If the value grants access, treat it as a credential and generate it with a security-focused token design. If it only names a row, a UUID is usually fine.

A practical selection guide

Use v4 when you want simple random IDs and do not care about sorting. Use v5 when you need repeatable IDs from a namespace and stable name. Consider v7 when records are created over time and ordering helps storage, logs, or debugging. Avoid v1 in public identifiers when hardware or timestamp privacy is a concern. Keep IDs lowercase and consistently formatted, validate input, and document whether the ID is public, internal, stable, or disposable. That documentation prevents later code from giving an identifier more meaning than it should have.

Common Questions

Can two UUID v4 values collide?

Yes in theory, but with a good random source the probability is extremely low for normal application volumes.

Is UUID v7 always better than v4?

No. v7 is useful when time ordering helps. v4 remains simpler when ordering and timestamp exposure do not matter.

Can I expose UUIDs in URLs?

Often yes, but do not treat the UUID as authorization. The server still needs normal permission checks.

Why do some teams prefer UUIDs over database sequences?

UUIDs can be generated before a record reaches the database, which helps offline clients, distributed imports, event pipelines, and systems that merge data from multiple sources. They also avoid revealing simple record counts. The tradeoff is larger storage, less readable identifiers, and possible index behavior differences.

Can a UUID tell me when something was created?

Only some versions carry time information. UUID v7 is intentionally time-sortable, while v4 is random and does not reveal creation time. If creation time is important, store an explicit timestamp instead of reverse-engineering business meaning from the identifier format.