What is UUID Version 4?
UUID version 4 (also known as random UUID) is a unique identifier generated entirely using random or pseudo-random numbers. Unlike UUID v1 which uses timestamps, or UUID v5 which uses hashing, UUID v4 relies solely on randomness for uniqueness.
Of the 128 bits in a UUID v4, 122 bits are randomly generated. The remaining 6 bits are used to indicate the version (4 bits set to "0100" for version 4) and variant (2 bits set to "10" for RFC 4122). This means there are 2122 (approximately 5.3 × 1036) possible UUID v4 values.
UUID v4 is the most commonly used UUID version in modern software development due to its simplicity, privacy benefits, and excellent collision resistance. Our generator uses the browser's Web Crypto API to ensure cryptographically secure random number generation.
Key Benefits of UUID v4
- • Complete privacy: No timestamp, MAC address, or system information embedded
- • Unpredictable: Cannot be guessed or enumerated by attackers
- • Simple to generate: Just needs a good random number source
- • Widely supported: Built-in support in most programming languages
- • Cryptographically secure: When generated with proper random sources
UUID v4 Structure
A UUID v4 follows the standard UUID format with specific bits reserved for version and variant identification:
xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
Where:
4 = Version 4 (always "4")
y = Variant (8, 9, a, or b)
x = Random hexadecimal digit (0-9, a-f)
Example UUID v4: f47ac10b-58cc-4372-a567-0e02b2c3d479
You can always identify a UUID v4 by checking that:
- The 13th character (first character of the third group) is "4"
- The 17th character (first character of the fourth group) is "8", "9", "a", or "b"
Use our UUID Validator to automatically detect the version of any UUID.
How Random is UUID v4? Understanding Collision Probability
UUID v4's uniqueness comes from the extreme improbability of generating the same random number twice. With 122 random bits, the math works strongly in your favor:
Total Possible UUIDs
5.3 × 1036
That's 5.3 undecillion unique possibilities
50% Collision Probability At
2.71 × 1018
UUIDs generated (2.71 quintillion)
Real-World Perspective
- • 1 billion UUIDs/second: 86 years to reach 50% collision probability
- • Every human on Earth: Could each generate 600 million UUIDs before 50% collision chance
- • Your application: Even generating 1 million UUIDs per day for 100 years, collision probability is ~10-24
Quality of Randomness Matters
The collision probabilities above assume a cryptographically secure random number generator (CSRNG). Our UUID v4 generator uses crypto.randomUUID() or crypto.getRandomValues(), which are CSRNGs. Avoid using Math.random() for UUID generation as it's not cryptographically secure and may produce more collisions.
When to Use UUID v4
UUID v4 is the best choice for most applications. Here's when you should (and shouldn't) use it:
Perfect For
- • Session tokens: Unpredictable and unguessable
- • API keys: Secure and unique identifiers
- • User IDs in URLs: Don't reveal user count
- • File names: No conflicts, no information leakage
- • Correlation IDs: Request tracing across services
- • Temporary identifiers: Short-lived unique references
- • Security tokens: Password reset links, email verification
Consider Alternatives When
- • Database primary keys: Consider UUID v7 for better index performance
- • Time ordering needed: Use UUID v1 or v7
- • Deterministic IDs: Use UUID v5 for reproducible identifiers
- • Short IDs needed: Consider nanoid or custom solutions
- • Human readability: Use sequential IDs with separate security tokens
UUID v4 vs Other UUID Versions
| Feature | UUID v4 | UUID v1 | UUID v7 |
|---|---|---|---|
| Generation Method | Random numbers | Timestamp + MAC | Unix time + random |
| Time-Sortable | No | Partially | Yes |
| Privacy | Excellent | Poor (exposes MAC) | Good |
| Database Index | Poor (random) | Moderate | Excellent |
| Unpredictability | High | Low | Moderate |
| Language Support | Universal | Good | Growing |
💡 Quick Decision Guide
- • Security tokens, API keys, sessions: UUID v4 ✓
- • Database primary keys (new projects): UUID v7 for performance
- • Legacy systems: Check what they require
- • When in doubt: UUID v4 is almost always a safe choice
Generate UUID v4 in Code
UUID v4 has excellent native support across programming languages. Here's how to generate them:
// Native browser API (Chrome 92+, Firefox 95+, Safari 15.4+)
const uuid = crypto.randomUUID();
console.log(uuid); // e.g., "f47ac10b-58cc-4372-a567-0e02b2c3d479"
// Node.js 19+ also supports crypto.randomUUID()
import { randomUUID } from 'crypto';
const id = randomUUID();import uuid
# Generate UUID v4
my_uuid = uuid.uuid4()
print(my_uuid) # e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479
# Convert to string without hyphens
print(my_uuid.hex) # f47ac10b58cc4372a5670e02b2c3d479import java.util.UUID;
// Generate UUID v4 - built into Java since 1.5!
UUID uuid = UUID.randomUUID();
System.out.println(uuid); // e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479
// Get as string
String uuidString = uuid.toString();// Generate GUID (Microsoft's name for UUID v4)
Guid guid = Guid.NewGuid();
Console.WriteLine(guid); // e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479
// Format options
Console.WriteLine(guid.ToString("N")); // No hyphens
Console.WriteLine(guid.ToString("B")); // With braces {}import "github.com/google/uuid"
// Generate UUID v4
id := uuid.New()
fmt.Println(id.String()) // e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479
// Or generate with explicit v4 function
id = uuid.NewRandom()More language guides: PHP, Ruby, Rust, Swift, Kotlin, TypeScript, Bash.
UUID v4 in Databases
While UUID v4 works in any database, there are some performance considerations to be aware of:
Index Performance Warning
Random UUID v4 values cause index fragmentation because new values are inserted at random positions rather than sequentially. This can slow down write operations and increase storage requirements. For high-volume tables, consider UUID v7 or database-specific optimizations.
-- PostgreSQL 13+ has gen_random_uuid() built-in
CREATE TABLE users (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
email VARCHAR(255) NOT NULL
);
-- Insert with auto-generated UUID
INSERT INTO users (email) VALUES ('[email protected]');
-- Or generate in query
SELECT gen_random_uuid();-- Note: MySQL's UUID() generates v1, not v4
-- For v4, generate in application code or use:
CREATE TABLE users (
id BINARY(16) PRIMARY KEY,
email VARCHAR(255) NOT NULL
);
-- Insert with application-generated UUID v4
INSERT INTO users (id, email)
VALUES (UUID_TO_BIN('f47ac10b-58cc-4372-a567-0e02b2c3d479'), '[email protected]');Security Considerations
UUID v4 IS Suitable For
- • Session identifiers (when combined with proper session management)
- • API keys (as part of a complete API key system)
- • Password reset tokens (with expiration)
- • Email verification links
- • Correlation IDs for logging
UUID v4 is NOT a Replacement For
- • Cryptographic keys (use proper key derivation functions)
- • Passwords (use proper password hashing)
- • Encryption keys (use dedicated key generation)
- • Signing secrets (use purpose-built secret generation)
While UUID v4 provides excellent uniqueness and unpredictability, always use appropriate security measures for your specific use case. A UUID alone shouldn't be your only security mechanism.
Related UUID Tools
Frequently Asked Questions
Is UUID v4 really random?
Yes, when generated correctly. Our generator uses crypto.randomUUID() which relies on cryptographically secure random number generators (CSRNGs). These are designed to be unpredictable and suitable for security-sensitive applications. Avoid generators that use Math.random() as it's not cryptographically secure.
Can two systems generate the same UUID v4?
Theoretically yes, but practically no. The probability is so astronomically low (about 1 in 2122) that it's not a realistic concern. You're more likely to be struck by a meteorite while winning the lottery than to generate a duplicate UUID v4.
Should I use UUID v4 for database primary keys?
It depends. UUID v4 works but can cause index fragmentation due to random distribution. For high-volume tables, consider UUID v7 which is time-ordered and provides better index performance. For low-to-medium volume tables, UUID v4 is perfectly fine.
How do I validate a UUID v4?
Check that: (1) it's 36 characters with hyphens in positions 8, 13, 18, 23; (2) the 13th character is "4"; (3) the 17th character is "8", "9", "a", or "b". Or use our UUID Validator tool to automatically check any UUID.