Free Online UUID Generator & Decoder
Generate universally unique identifiers (UUIDs) in every version defined by RFC 4122 and RFC 9562 — v1 (timestamp + node), v3 (MD5 namespace), v4 (random), v5 (SHA-1 namespace), v6 (sortable v1), v7 (Unix time-ordered, database-friendly), v8 (custom / vendor), plus the Nil and Max sentinel values — single or in bulk up to 1,000. Use the four standard namespace presets (DNS, URL, OID, X500) or paste a custom namespace for deterministic v3 and v5 generation. Paste any existing UUID into the Inspector above to decode its version, variant, and embedded timestamp, and convert it to canonical, uppercase, no-hyphens, braced GUID, URN, Base64, 128-bit decimal, or a byte array. Everything runs 100% client-side — no data is ever sent to a server.
What is a UUID?
A UUID (Universally Unique Identifier) is a 128-bit number used to identify information in computer systems. UUIDs are standardized by RFC 4122 and are designed to be unique across space and time without requiring a central registration authority. They are also known as GUIDs (Globally Unique Identifiers) in Microsoft ecosystems.
UUIDs are represented as 32 hexadecimal digits displayed in five groups separated by hyphens, in the form xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, where M indicates the version and N indicates the variant.
UUID Format Breakdown
A standard UUID consists of 32 hexadecimal characters (128 bits) arranged in a specific pattern:
| Section | Length | Description |
|---|---|---|
| time_low | 8 hex digits | Low 32 bits of the timestamp |
| time_mid | 4 hex digits | Middle 16 bits of the timestamp |
| time_hi_and_version | 4 hex digits | High 12 bits of timestamp + 4-bit version (4 for v4) |
| clock_seq | 4 hex digits | Clock sequence and variant bits |
| node | 12 hex digits | Node identifier (random in v4) |
Example: 550e8400-e29b-41d4-a716-446655440000 — the 4 indicates version 4, and a (binary 10xx) indicates the RFC 4122 variant.
All UUID Versions Compared
The original UUID specification (RFC 4122, 2005) defined five versions (v1, v2, v3, v4, v5). RFC 9562 (May 2024) replaced it and added three new versions (v6, v7, v8) plus the Max UUID. Here's every version in use today:
| Version | Source | Sortable | Best For |
|---|---|---|---|
| v1 | Timestamp + MAC / node | Partial | Time-ordering (legacy); avoid — leaks MAC |
| v2 | DCE Security (POSIX UID/GID) | Partial | Rare; DCE-specific; almost never used |
| v3 | MD5(namespace + name) | No | Deterministic IDs from names (legacy) |
| v4 | Cryptographic random (122 bits) | No | General-purpose unique IDs; default choice |
| v5 | SHA-1(namespace + name) | No | Deterministic IDs from names (modern) |
| v6 | Reordered v1 timestamp + node | Yes | v1 replacement with proper lexicographic order |
| v7 | Unix ms timestamp + random | Yes | Database primary keys; modern default |
| v8 | Custom / vendor-defined | Depends | Embedding your own ID scheme in UUID format |
| Nil | All zeros | — | Sentinel / placeholder / absence of value |
| Max | All ones (FFFF…) | — | Sentinel for highest possible value |
Deep Dive: Every UUID Version
UUID v1 — Timestamp + Node Identifier
The original time-based UUID. Combines a 60-bit timestamp with a 48-bit node identifier (traditionally the machine's MAC address) and a 14-bit clock sequence to prevent collisions when the clock is reset or multiple UUIDs are generated in the same 100-nanosecond interval.
Problem:v1's byte order scatters the timestamp across time_low/time_mid/time_hi, so v1 UUIDs are NOT lexicographically sortable by creation time. Using the real MAC also leaks host identity — a privacy concern. Modern implementations use a random node with the multicast bit set (as this tool does) to avoid MAC leakage.
Verdict: Use v6 or v7 instead. v1 exists mostly for backward compatibility.
UUID v2 — DCE Security (Historical)
A niche variant defined by the Distributed Computing Environment (DCE). It trades timestamp resolution for embedding a POSIX UID/GID. Almost no modern system uses v2 — it's effectively deprecated. Mentioned for completeness; don't use it.
UUID v3 — MD5 Namespace Hash
Deterministic UUIDs: given the same namespace UUID and name string, v3 always produces the same output. Uses MD5 hashing. Useful when you need a reproducible ID derived from an existing identifier (e.g., a URL or a DNS name) without storing a mapping table.
Standard namespaces (from RFC 4122): DNS (6ba7b810-9dad-11d1-80b4-00c04fd430c8), URL, OID, X500.
Verdict: Prefer v5 — same idea, stronger hash (SHA-1). v3 only exists for legacy systems.
UUID v4 — Cryptographically Random
The most commonly used UUID version. Every bit except version and variant is pulled from a cryptographically secure random number generator. With 2¹²² possible values, the collision probability is astronomically low — you could generate 1 billion UUIDs per second for 85 years before a 50% chance of a single duplicate.
Strengths: Simple, universal, no inputs required, privacy-preserving (no timestamps or MACs leak), no clock dependencies.
Weakness: Random insertion order causes B-tree index fragmentation in databases. For a primary key at scale, prefer v7.
UUID v5 — SHA-1 Namespace Hash
Identical concept to v3 but uses SHA-1 instead of MD5. Both are hash-based and deterministic. SHA-1 is still considered safe for ID generation (though not for cryptographic integrity). Use v5 whenever you'd otherwise use v3 — same namespaces, same interface, better hash.
UUID v6 — Reordered v1 (Sortable Time-Ordered)
Introduced in RFC 9562 (2024) as a fix for v1's sort ordering. Takes the same 60-bit Gregorian timestamp and node/clock fields, but places the most-significant timestamp bits at the start of the UUID. Result: lexicographic (string) sorting matches creation time — great for index locality in databases.
Verdict:A good middle ground if you're migrating from v1 and want to keep the node structure. For new designs, v7 is simpler and uses the familiar Unix epoch.
UUID v7 — Unix Timestamp + Random (Modern Default)
The new recommended default for database primary keys. First 48 bits are milliseconds since Unix epoch, encoded big-endian. The remaining 74 bits are random (minus 4 version + 2 variant bits). Because the timestamp is at the start, v7 UUIDs sort naturally by creation time in both binary and string comparisons.
Why it matters for databases: B-tree indexes (used by Postgres, MySQL, SQL Server for primary keys) work best when new inserts go to the right end of the tree. Random v4 UUIDs scatter inserts across all leaf pages, causing expensive page splits and poor cache locality. v7 inserts always append — same performance as bigint auto-increment.
Trade-off:The timestamp is readable, so creation time is visible to anyone who sees the UUID. If that's a leak, use v4 instead.
UUID v8 — Vendor / Custom
A deliberate escape hatch in RFC 9562. v8 lets you pack your own application-specific data into a UUID-shaped 128-bit value while still being recognizable as a UUID. Common uses: encoding a shard key + local ID, embedding a small domain-specific timestamp scheme, or combining multiple identifier types into one ID. Use only when none of v4/v5/v7 fits your layout requirements — and document the format clearly.
Nil UUID — All Zeros
A special UUID value reserved to represent "no value" or "unset". Often used as a default value, a sentinel, or to represent absence in systems that require a non-null UUID field. Never generate it randomly — always use it intentionally.
Max UUID — All Ones
Added in RFC 9562 as the counterpart to Nil. Represents the maximum possible UUID value. Useful as a sentinel for "greatest value" in sorted UUID collections, range queries, and boundary markers.
Generate UUIDs in Your Language
Copy-paste ready snippets for every UUID version in the languages and databases developers actually use. Pick your stack below:
// Node 14.17+ / all modern browsers const id = crypto.randomUUID();
import { v1, v3, v4, v5 } from "uuid";
const id4 = v4();
const id1 = v1();
const id5 = v5("hello", v5.URL);// uuid >= 11.0
import { v7 } from "uuid";
const id = v7();Decision Guide: Which Version Should You Use?
Timestamp-prefixed IDs keep B-tree indexes healthy and writes append-friendly.
Simple, no time leaks, universally supported everywhere.
Same namespace + name always produces the same UUID, using SHA-1.
No timestamp leak. v7 exposes creation time.
Drop-in v1 replacement that actually sorts correctly.
The reserved all-zeros UUID explicitly means "no value".
Only use if v4/v5/v7 genuinely don't fit. Document the scheme.
These two cover 99% of real-world needs. Start here.
The UUID Variant Field
Every UUID has a 2- to 3-bit variant field that indicates which specification it follows. You can spot it by looking at the first character of the 4th group in the canonical string form:
| Variant bits | First hex char | Spec |
|---|---|---|
| 0xxx | 0–7 | NCS backwards compatibility (legacy Apollo) |
| 10xx | 8, 9, a, b | RFC 4122 / RFC 9562 — what you'll see 99% of the time |
| 110x | c, d | Microsoft Component Object Model (COM) — older Windows GUIDs |
| 111x | e, f | Reserved for future use |
Example: in 550e8400-e29b-41d4-a716-446655440000, the a (binary 1010) indicates RFC 4122 variant. The digit before that (4) indicates version 4.
Collision Probability by Version
| Version | Random bits | Collisions likely after |
|---|---|---|
| v1 / v6 | 14 (clock seq) + full node | Effectively zero with unique MAC; with random node, 2⁴⁸ nodes × 10k per ms |
| v4 | 122 | ~2.7 × 10¹⁸ UUIDs for 50% chance of any collision |
| v7 | 74 (per millisecond) | ~5.4 billion in the same millisecond for 50% collision |
| v3 / v5 | Hash output (input-dependent) | Only if the same namespace + name is reused |
These are theoretical birthday-problem bounds. In practice, v4 and v7 collisions are never observed in real systems.
UUID vs ULID, NanoID, Snowflake, KSUID
UUID isn't the only unique ID format in use. Here's how it stacks up against the popular alternatives developers compare it to. Many of them were invented specifically to solve problems with UUID v4 that v7 has since addressed.
| Format | Size | Sortable | Encoding | Typical length | Best for |
|---|---|---|---|---|---|
| UUID v4 | 128 bit | No | Hex + hyphens | 36 chars | General-purpose random IDs |
| UUID v7 | 128 bit | Yes | Hex + hyphens | 36 chars | Database primary keys (new default) |
| ULID | 128 bit | Yes | Crockford Base32 | 26 chars | Log-like systems, human-pasteable sortable IDs |
| NanoID | 126 bit (default) | No | URL-safe alphabet | 21 chars (configurable) | Shorter URLs, slugs, short random tokens |
| Snowflake | 64 bit | Yes | Decimal | 18-19 digits | Distributed systems with coordinator (Twitter/Discord/Slack) |
| KSUID | 160 bit | Yes | Base62 | 27 chars | Segment-style event IDs with more entropy than ULID |
| CUID2 | varies | No | Base36 alphabet | 24 chars (default) | Horizontally-scalable collision-resistant IDs |
UUID v7 vs ULID
Functionally near-identical — both are 128-bit time-ordered IDs with ~74 bits of randomness. The main differences are encoding (UUID v7 uses hex-with-hyphens, ULID uses Crockford Base32) and ecosystem (UUID is universally supported, ULID is niche). For new projects, UUID v7 is usually the better pick because every database, language, and library already supports the UUID format.
UUID vs NanoID
NanoID is smaller (21 chars vs 36) and URL-safe by default, making it better for user-facing URLs and slugs. But NanoID is NOT sortable and has slightly fewer bits of randomness in its default config. Use NanoID when you want short visible IDs; use UUID v4/v7 when you need the universal format or sortability.
UUID vs Snowflake
Snowflake IDs are only 64-bit (fit in a BIGINT) and designed for coordinated distributed systems: each node gets a machine ID and increments a sequence. This requires running a Snowflake service or coordinator. UUIDs don't need coordination — any node can generate one independently. Use Snowflake in large-scale systems already running a coordinator; use UUID v7 everywhere else.
UUID vs KSUID
KSUID is like a 160-bit ULID — more entropy, slightly longer encoding (27 chars). Popular in Segment's event-tracking stack. For most applications UUID v7 or ULID is sufficient; KSUID shines when you need extra entropy for event streams.
Common UUID Mistakes (Anti-patterns)
UUIDs are simple to generate but easy to misuse. Every one of these mistakes has caused real production incidents. Read them once and save yourself the debugging time later.
Using v1 in public-facing IDs
Securityv1 encodes a 48-bit node identifier — traditionally the machine's MAC address — into every UUID. Publish one v1 UUID and anyone can see which machine generated it. Worse, successive v1 UUIDs reveal the generation time and sequence. If you need time-ordering, use v6 or v7 instead. If you need privacy, use v4.
Using v4 as a primary key at scale
PerformanceRandom v4 inserts cause B-tree index fragmentation in Postgres, MySQL, and SQL Server. Under high write load you'll see expensive page splits, poor cache locality, and slower sequential scans. Benchmarks show 2-5x slower inserts at >10M rows. Switch to v7 — timestamp-prefixed IDs keep writes append-only and cache-friendly.
Storing UUIDs as VARCHAR(36)
PerformanceA UUID string is 36 bytes of text, but the UUID itself is only 16 bytes. Storing as VARCHAR(36) wastes 20 bytes per row, bloats indexes, and slows comparisons. Use Postgres's native uuid type, MySQL BINARY(16) with UUID_TO_BIN(), or SQL Server uniqueidentifier. The savings compound with every index you touch.
Assuming v3/v5 are unique
Correctnessv3 and v5 are deterministic — same namespace + name always produces the same UUID. If two callers hash the same name, they get the same 'ID'. Don't use them as primary keys unless you genuinely want that property. They're for lookups ('what UUID would URL X have?'), not as a substitute for random IDs.
Using Math.random() to generate UUIDs
SecurityMath.random() is a non-cryptographic PRNG with poor distribution. You will generate collisions. Always use crypto.randomUUID() (browser/Node), uuid.uuid4() (Python), SecureRandom.uuid (Ruby), or equivalent CSPRNG-backed APIs. Never roll your own UUID generator with a math RNG.
Treating UUIDs as encryption
SecurityBase64-encoding or UUID-wrapping sensitive data does NOT hide it. Anyone can decode a Base64 string or read a UUID's bits. If you need to protect data, use actual encryption (AES, RSA). UUIDs are identifiers, not secrets.
Ignoring UUID case sensitivity in comparisons
CorrectnessRFC 9562 requires parsers to accept both cases but recommends lowercase in output. Bugs hide when code compares UUIDs as strings: '550E8400-…' != '550e8400-…'. Always normalize to lowercase before string comparison, or use your database's native uuid type (which handles this correctly).
Forgetting the variant bits exist
CorrectnessCustom UUID generators that don't set the variant bits (top 2 bits of byte 8 = 10) produce non-conformant UUIDs. Some libraries will reject them as 'invalid'. Always set version bits AND variant bits — see our deep-dive above.
Exposing v1/v6/v7 timestamps for privacy-critical IDs
Securityv1, v6, and v7 all embed the creation time. Publishing them leaks WHEN a record was created — bad for session tokens, password reset links, or anything where timing matters. Use v4 for secrets and time-ordered versions only for internal IDs.
Using UUID v4 when v7 would do
PerformanceNew projects defaulting to v4 in 2025+ are skipping a free performance win. If your IDs go into a database as primary keys, v7 is strictly better for write throughput and index health. Keep v4 for tokens, secrets, or anywhere timestamp exposure is a concern.
Migration Guides: Moving to Time-Ordered UUIDs
Switching an existing system from v4 to v7 (or v1 to v6) is usually worth doing, but requires care. Here are the patterns that work.
Migrating v4 Primary Keys to v7 (Postgres)
- Don't rewrite existing rows. The goal is better performance for NEW inserts, not changing old IDs. Rewriting primary keys breaks foreign keys and history.
- Change the default only.
ALTER TABLE items ALTER COLUMN id SET DEFAULT uuidv7(); - Install a v7 generator. Install
pg_uuidv7extension or define the manual SQL function (see code snippets above). - Reindex after heavy write periods. Once most NEW inserts are v7, the index will slowly rebalance. Run
REINDEX CONCURRENTLYon the primary key during off-peak hours for an immediate cleanup. - Monitor index bloat. Use
pg_stat_user_indexesandpgstattupleto measure before/after. You should see bloat drop significantly within a few weeks.
Migrating v1 → v6 for Lexicographic Sorting
v1 UUIDs don't sort by time because the timestamp bytes are scattered. v6 fixes this with the exact same fields, just reordered. Mechanical migration:
- Any existing v1 UUID can be losslessly converted to v6— the bits are the same, just in a different order. Several libraries (Go's google/uuid, Python's uuid6) expose a v1-to-v6 converter.
- For NEW records, switch the generator to emit v6. This doesn't break compatibility with v1 consumers (both are valid UUIDs).
- If you don't need the node field, skip v6 and go straight to v7 — simpler format, modern default.
Dual-writing During a Migration
If you're exposing UUIDs in URLs or external APIs and want to swap formats without breaking consumers, use the dual-write pattern:
- Keep the old UUID column as the public ID.
- Add a new column for the new format (e.g.,
internal_id uuid) and start generating v7 values for all new rows. - Backfill existing rows with newly generated v7 IDs during a low-traffic window.
- Use
internal_idfor internal joins, foreign keys, and sort-by-creation queries. Keep the old column for URLs/API responses until you're ready to migrate consumers.
Storing UUIDs in Your Database
How you store a UUID matters almost as much as which version you choose. The right storage type saves space, speeds up queries, and keeps indexes healthy.
| Database | Recommended column type | Storage (bytes) | Notes |
|---|---|---|---|
| PostgreSQL | uuid | 16 | Native binary storage, sortable, supports all operators. |
| MySQL 8+ | BINARY(16) | 16 | Use UUID_TO_BIN()/BIN_TO_UUID(); v7 storage needs the 2nd arg = 1 for byte reordering. |
| SQL Server | uniqueidentifier | 16 | 16 bytes. Sorts in a SQL-Server-specific byte order, not lexicographic. |
| SQLite | BLOB or TEXT | 16 or 36 | No native type. BLOB is smaller; TEXT is easier to inspect. |
| MongoDB | UUID (BSON subtype 4) | 16 | Use MongoDB's native UUID BSON type, not a string. |
| Cassandra / ScyllaDB | uuid / timeuuid | 16 | timeuuid is v1 only; for v7 use uuid + app-level sorting. |
| DynamoDB | String (S) | 36 | No binary UUID type; use the string form. v7 sorts correctly as a string. |
| Redis | String | 36 | Use the 36-char hex form as a key; or 16-byte packed binary to save memory. |
Rule of thumb: if your database has a native 16-byte UUID type, use it. Storing 36-char VARCHARs wastes 125% more space per row and every index that touches the column. The difference adds up fast at scale.
Native UUID Support by Language & Runtime
Which UUID versions you can use without third-party libraries depends on your runtime and version. Check this before picking v7 on a legacy platform.
| Runtime | Native v4 | Native v7 | API |
|---|---|---|---|
| Node.js | 14.17+ | No (use npm uuid ≥ 11) | crypto.randomUUID() (v4), v7() from uuid package |
| Chrome / Edge | 92+ | No | crypto.randomUUID() |
| Safari | 15.4+ | No | crypto.randomUUID() |
| Firefox | 95+ | No | crypto.randomUUID() |
| Python | Always (stdlib uuid) | 3.14+ (PEP 750) | uuid.uuid4(), uuid.uuid7() |
| Go | google/uuid any version | google/uuid ≥ 1.6 | uuid.New(), uuid.NewV7() |
| Rust (uuid crate) | Always | 1.1+ | Uuid::new_v4(), Uuid::now_v7() |
| Java | Always (java.util.UUID) | No (use Apache Commons or uuid-creator) | UUID.randomUUID() |
| Ruby | Always (SecureRandom.uuid) | 3.3+ | SecureRandom.uuid, SecureRandom.uuid_v7 |
| .NET / C# | Always (Guid.NewGuid) | 9.0+ | Guid.NewGuid(), Guid.CreateVersion7() |
| PostgreSQL | 13+ (gen_random_uuid) | No (use pg_uuidv7 ext or manual SQL) | gen_random_uuid(), uuidv7() |
| MySQL | No (use app) | No (app only) | UUID() returns v1 |
| MariaDB | No native | 10.7+ (UUID_v7) | UUID_v7() |
| SQL Server | Always (NEWID) | No | NEWID(), NEWSEQUENTIALID() (sort-friendly but not v7) |
Common Use Cases
Database primary keys
Use UUIDs as primary keys to avoid sequential ID guessing and enable distributed ID generation without coordination.
API request tracing
Attach a UUID to each API request to trace it through microservices, logs, and error reports.
Session identifiers
Generate unique session tokens for user authentication and authorization in web applications.
File naming
Name uploaded files with UUIDs to prevent collisions and avoid exposing original filenames.
Message queues
Assign UUIDs to messages in distributed queues (Kafka, RabbitMQ) for deduplication and tracking.
Idempotency keys
Use UUIDs as idempotency keys in payment APIs to prevent duplicate charges on retry.
UUID History & Standards Timeline
UUIDs have been standardized, revised, and expanded over more than 40 years. Understanding where each version came from helps explain the design trade-offs.
Apollo NCA
The concept originated at Apollo Computer with the Network Computing Architecture. Their 'UID' was a 64-bit value — the ancestor of modern UUIDs.
DCE / OSF Adoption
The Open Software Foundation adopted a 128-bit UUID format for the Distributed Computing Environment (DCE). This became the canonical format used today.
Microsoft GUIDs
Microsoft adopted the same 128-bit format as 'GUID' (Globally Unique Identifier) for COM and Windows, though stored with mixed-endian byte order internally.
RFC 4122 Published
The IETF standardized UUIDs in RFC 4122, defining versions 1 (timestamp + MAC), 2 (DCE security), 3 (MD5 name), 4 (random), and 5 (SHA-1 name). This was the canonical spec for nearly 20 years.
ULID Proposed
Alizain Feerasta proposed ULID as a sortable alternative to UUID v4. Sparked renewed interest in time-ordered IDs.
draft-peabody-dispatch-new-uuid-format
Brad Peabody and Kyzer Davis published the first IETF draft for UUID versions 6, 7, and 8. Adopted rapidly by major language runtimes.
RFC 9562 Published
The new UUID spec officially replaces RFC 4122. Adds v6 (sortable v1), v7 (Unix ms + random — the new DB default), v8 (custom), and the Max UUID.
Native v7 Support Spreads
Go's google/uuid 1.6, Python 3.14, Ruby 3.3, .NET 9, Rust uuid 1.1, MariaDB 10.7, pg_uuidv7 for Postgres all ship native v7 implementations.
Standard UUID Namespaces Reference
RFC 4122 Appendix C defines four standard namespace UUIDs for use with v3/v5 hash-based generation. These are fixed well-known values — use them when hashing names of the corresponding type so your IDs interoperate with everyone else's.
| Namespace | UUID value | Use for |
|---|---|---|
| DNS | 6ba7b810-9dad-11d1-80b4-00c04fd430c8 | Hashing fully-qualified domain names (example.com) |
| URL | 6ba7b811-9dad-11d1-80b4-00c04fd430c8 | Hashing URLs (https://example.com/path) |
| OID | 6ba7b812-9dad-11d1-80b4-00c04fd430c8 | Hashing ISO Object Identifiers (1.2.840.113549.1) |
| X.500 | 6ba7b814-9dad-11d1-80b4-00c04fd430c8 | Hashing X.500 Distinguished Names (CN=John Doe,O=Example) |
For anything outside these four categories, generate your own namespace UUID once (any v4 works) and hardcode it as a constant in your code — then reuse it every time you hash a name of that type.
UUID Validation Regex Patterns
Need to validate a UUID string without parsing it fully? These regex patterns cover the most common checks across languages.
^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-7[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$^[0-9a-fA-F]{32}$^\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}$Sample UUIDs for Testing
Copy-paste ready UUIDs in every version, useful as test fixtures, placeholder data, or for debugging UUID parsers. Every sample below is a valid, RFC-conformant UUID.
00000000-0000-1000-8000-000000000000f81d4fae-7dec-11d0-a765-00a0c91e6bf69073926b-929f-31c2-abc9-fad77ae3e8eb00112233-4455-4677-8899-aabbccddeeff550e8400-e29b-41d4-a716-446655440000886313e1-3b8a-5372-9b90-0c9aee199e5d1ee2a000-0b01-6000-8000-0000000000000191a1c0-7d54-7b8f-9c2d-3e4f56789abc00112233-4455-8677-8899-aabbccddeeff00000000-0000-0000-0000-000000000000ffffffff-ffff-ffff-ffff-ffffffffffffWhen NOT to Use UUIDs
UUIDs are great but not always the right tool. Here are the cases where an alternative is genuinely better.
User-facing URLs
A 36-char UUID in a URL is ugly and long. Use a shorter slug format (NanoID, Hashids, 8-12 char random) for shareable links. Store the UUID internally.
Sequential integer joins
If rows are related by a simple ordering (e.g. event sequences), 64-bit integer IDs or Snowflake give you the ordering and half the storage cost.
Large-volume warehouse tables
At 100B+ rows, even binary UUIDs cost significant storage. A 64-bit sequential ID uses half the space and compresses better.
Short-lived codes (OTPs, invites)
Users need to type or speak these. A UUID is unusable. Generate short cryptographic codes instead.
Deduplication keys for identical content
If 'same content = same ID' matters (e.g. file deduplication), use a real content hash, not a v5 UUID. Hash is more widely used for this purpose.
When you need ordered sequences
If your ID needs to reflect insertion order exactly (no gaps, strictly monotonic), database sequences are the right tool. v7 UUIDs are sortable but can have gaps and clock-skew oddities.
UUID Security & Entropy
Can UUIDs be used as security tokens? It depends on the version and how you generate them. Here's the breakdown.
Is UUID v4 secure as an auth token?
It depends. v4 has 122 bits of random entropy, which is more than enough to be unguessable if generated from a CSPRNG (crypto.randomUUID(), uuid.uuid4(), etc.). NIST guidance requires at least 112 bits of entropy for high-value session tokens — v4 meets that. However, v4 UUIDs weren't designed as tokens, and leaking one has different implications than leaking a dedicated session secret. For anything security-critical, use a dedicated token format (JWT, signed cookies, opaque 256-bit random tokens) rather than a UUID.
Can UUIDs be predicted?
v4 and v7 generated from a proper CSPRNG (every browser, Node, Python, etc. standard library) are computationally unguessable. v1 and v6 are partially predictable — an attacker who knows the rough generation time and node identifier can narrow the search space. v3 and v5 are fully predictable if the namespace and name are known. Never use v1/v3/v5/v6 in security contexts.
Does v7 leak sensitive information?
v7's first 48 bits encode the millisecond timestamp. If the UUID is public, anyone can read the creation time. For internal IDs this is usually fine. For anything customer-facing where timing matters (password reset tokens, one-time links), use v4 instead.
Is it safe to generate UUIDs client-side in a browser?
Yes — window.crypto.randomUUID() uses the browser's CSPRNG, the same source used for WebCrypto keys. The result is cryptographically secure. Everything on this tool runs client-side with no server round-trip.
How much entropy does each version have?
v4: 122 bits random. v7: 74 bits random (per millisecond). v1/v6: 14 bits (clock sequence) + 48 bits (node) — but node might be deterministic. v3/v5: deterministic — effectively zero runtime entropy, just the input's entropy. v8: implementation-defined. For security-critical uses, 122-bit v4 is the safe default.
UUIDs in the Wild: Who Uses What
Real-world examples of unique ID formats in use at major companies and open-source projects.
| Format | Used by |
|---|---|
| UUID v4 | Most SaaS apps, Stripe customer IDs, AWS resource identifiers, Firebase, Supabase |
| UUID v7 | Modern Postgres-backed systems adopting RFC 9562: Prisma (optional), Drizzle, Supabase (2024+) |
| ULID | Segment (event tracking), some Node.js shops, projects using SST/Convex |
| Snowflake ID | Twitter/X (originators), Discord, Instagram, Slack, Mastodon |
| KSUID | Segment (newer events), some log-stream tooling |
| NanoID | Supabase anonymous tokens, many JS projects for short URLs and slugs |
| Custom short IDs | YouTube (11 chars), Stripe (prefixed IDs like cus_xxx, pi_xxx), Shopify |
| Integer (BIGINT) | Legacy MySQL systems, Reddit post IDs, HackerNews |
UUID Generation Performance
Order-of-magnitude numbers for how fast you can generate each UUID version in common runtimes. In practice, UUID generation is almost never the bottleneck — but it's useful context for capacity planning.
| Runtime | v4 / sec | v7 / sec | Notes |
|---|---|---|---|
| Node 22 | ~20M | ~5M (npm uuid) | crypto.randomUUID() is native and very fast. |
| Chrome (V8) | ~15M | ~4M (lib) | Similar perf to Node; crypto.randomUUID() is native. |
| Python 3.13 | ~2M | ~1M (uuid6 pkg) | Python's UUID class is slower due to immutable object overhead. |
| Go 1.22 | ~30M | ~10M | google/uuid is near bare-metal — fastest popular UUID library. |
| Rust (uuid 1.8) | ~40M | ~15M | Zero-cost abstractions; hand-optimized in release mode. |
| Postgres (local) | ~1M inserts/s | ~1M inserts/s | Dominated by the insert itself, not UUID generation. |
Numbers are approximate, measured on commodity 2024-era hardware. Your exact throughput will vary — but the takeaway is that UUID generation is so fast it will never be the bottleneck in a real app.
Related Tools
If you're generating UUIDs you might also be working with these formats. All free, all client-side on ZeroTools.
Hash Generator →
MD5, SHA-1, SHA-256, SHA-384, SHA-512 hashes — the underlying primitive for v3/v5 UUIDs.
Base64 Encoder →
Convert UUID bytes to Base64 or any Base64 back to bytes.
Timestamp Converter →
Convert Unix timestamps to human-readable dates — pairs with v7's embedded timestamp.
JWT Decoder →
Decode JWT tokens (often contain UUID subject IDs).
Password Generator →
Cryptographically-secure random passwords, same entropy source as UUID v4.
JSON Formatter →
Format and validate JSON — useful when working with UUID-keyed API payloads.
HMAC Generator →
Keyed hash authentication codes — alternative to UUIDs for signed identifiers.
Number Base Converter →
Convert UUIDs and other identifiers between decimal, hex, binary, and octal.
Regex Tester →
Test the UUID validation patterns from the section above.
UUID Glossary
Quick definitions for terms used throughout this page and the wider UUID ecosystem.
Universally Unique Identifier — a 128-bit value designed to be globally unique without coordination. Standardized by RFC 4122 (2005) and RFC 9562 (2024).
Microsoft's name for UUID. Same 128-bit format; GUID is the Windows/DCE naming convention, UUID is the RFC name.
The original UUID specification from 2005. Defined versions 1, 2, 3, 4, and 5. Obsoleted by RFC 9562.
The 2024 revision of the UUID specification. Adds versions 6, 7, and 8 plus the Max UUID. Replaces RFC 4122.
A 4-bit field (the 13th hex character) that identifies how the UUID was generated. Values 1-8 are currently defined.
A 2-3 bit field (high bits of the 17th hex character) identifying which spec family the UUID follows. Most UUIDs use the RFC 4122/9562 variant (binary 10xx, hex 8-b).
Cryptographically-Secure Pseudo-Random Number Generator. Unlike Math.random(), a CSPRNG is safe to use for security-sensitive random values. crypto.randomUUID() uses one.
October 15, 1582 — the date the Gregorian calendar was adopted. v1 and v6 UUIDs encode time as 100-nanosecond intervals since this epoch.
January 1, 1970 UTC. v7 UUIDs encode time as milliseconds since this epoch — simpler than the Gregorian epoch used by v1/v6.
The default index structure in Postgres, MySQL, SQL Server, and most databases. B-trees perform best when inserts are sequential; random v4 UUIDs cause fragmentation.
What happens when a B-tree leaf page fills up and has to be split to fit a new insert. Page splits are expensive — time-ordered UUIDs like v7 avoid them.
Always increasing. v7 UUIDs are monotonic within a millisecond (via the random tail) and always across milliseconds (via the timestamp prefix).
A fixed UUID used as input to v3/v5 hash-based generation. RFC 4122 defines four: DNS, URL, OID, and X.500. You can also define your own.
A UUID that produces the same output given the same input. v3 and v5 are deterministic; v1, v4, v6, v7, v8 are not.
The 36-character hex-with-hyphens representation: 8-4-4-4-12. What you see by default. Also called Microsoft GUID format D.
The all-zeros UUID (00000000-0000-0000-0000-000000000000). Reserved as a sentinel for 'no value'. Never generate it randomly.
The all-ones UUID (ffffffff-ffff-ffff-ffff-ffffffffffff). Added in RFC 9562 as a counterpart to Nil for 'maximum value'.
A 48-bit field in v1/v6 UUIDs. Traditionally the machine's MAC address; modern libraries use a random value with the multicast bit set.
The least-significant bit of the first byte of an Ethernet MAC address. Setting it to 1 indicates 'this is not a real hardware address' — used in v1/v6 to prevent MAC leakage.
A 14-bit field in v1/v6 UUIDs that prevents collisions when the clock is reset or when generating UUIDs faster than the clock ticks.
Byte order. UUIDs are stored big-endian (most-significant byte first) on the wire; some systems like Microsoft's GUID format use mixed-endian internally — a common bug source.
Frequently Asked Questions
UUID v4 is a universally unique identifier generated using cryptographically secure random numbers. It contains 122 random bits and 6 fixed bits (4 for version, 2 for variant). The probability of generating a duplicate is astronomically low — you would need to generate 2.71 quintillion UUIDs to have a 50% chance of a single collision.
While not mathematically guaranteed to be unique, UUID v4 uses 122 random bits, giving 5.3 × 10³⁶ possible values. The chance of collision is so vanishingly small that it’s considered safe for virtually all applications. For context, you could generate 1 billion UUIDs per second for 85 years before having a 50% probability of a single duplicate.
Yes. All UUIDs are generated entirely in your browser using the Web Crypto API (crypto.randomUUID()). No data is sent to any server — the tool works completely offline once loaded.
UUID (Universally Unique Identifier) and GUID (Globally Unique Identifier) are essentially the same thing. GUID is the term used by Microsoft, while UUID is the standard term used in RFC 4122 and most other systems. They follow the same format and generation rules.
UUIDs work well as primary keys in distributed systems where you need to generate IDs without database coordination. However, random UUIDs (v4) can cause index fragmentation in B-tree indexes. Consider UUID v7 (time-ordered) for better database performance, or use UUIDs as secondary identifiers alongside auto-increment primary keys.
Some systems require compact identifiers without hyphens (32 characters instead of 36). Removing hyphens saves storage space in databases and makes UUIDs easier to use in URLs, filenames, and CSS class names. The UUID remains the same value regardless of formatting.
crypto.randomUUID() is a Web API that generates a UUID v4 string using the browser’s cryptographically secure pseudorandom number generator (CSPRNG). It’s supported in all modern browsers and is the recommended way to generate UUIDs in JavaScript.
Yes! This tool lets you generate up to 1,000 UUIDs at once. Enter your desired count, click Generate, and copy individual UUIDs or the entire list. All generation happens instantly in your browser.
UUID v7 is the newest standard (RFC 9562, May 2024) that encodes a 48-bit Unix millisecond timestamp at the start, followed by 74 random bits. Because the timestamp is leading, v7 UUIDs sort correctly by creation time as both binary and string values. This makes them ideal for database primary keys: B-tree indexes stay healthy because every new insert appends to the right side, avoiding the page splits and cache misses that random v4 primary keys cause at scale.
For database primary keys and any case where inserts should be time-ordered: yes, significantly. For general-purpose random IDs where you don't want creation time leaking, v4 is still the right pick. Both are secure and collision-safe; v7 trades a bit of information leakage for a lot of database performance.
UUID v2 is the 'DCE Security' variant — it replaces part of a v1 timestamp with a POSIX UID or GID. It's defined in the original spec but essentially nobody uses it today. Most UUID libraries don't even implement v2. You can safely ignore it.
Both generate deterministic UUIDs by hashing a namespace UUID plus a name string — feed in the same inputs, get the same UUID every time. v3 uses MD5, v5 uses SHA-1. v5 is strictly preferred for new code; v3 only exists for legacy compatibility. Neither is cryptographically secure against deliberate collision attacks, but they're fine for generating deterministic IDs from known inputs like URLs or DNS names.
v6 is a fixed version of v1 that reorders the timestamp bits so v6 UUIDs sort lexicographically by time. v8 is an explicit 'custom' version: it lets you define your own 122-bit payload while keeping the UUID shape and version/variant bits. Both were introduced in RFC 9562 (2024). v6 is rarely used outside of v1 migrations; v8 is useful when you need to embed your own identifier scheme into a UUID-compatible format.
The Nil UUID is all zeros (00000000-0000-0000-0000-000000000000), used as a sentinel for 'no value' or 'unset'. The Max UUID is all ones (ffffffff-ffff-ffff-ffff-ffffffffffff), added in RFC 9562 as a counterpart sentinel for 'maximum value'. They're reserved values — never generate them as real identifiers.
Only if the implementation uses your real MAC. Modern libraries (including this tool) generate a random 48-bit node value with the multicast bit set, which signals 'this is not a real MAC address'. That preserves the v1 format without leaking host identity. But if you care about host privacy, just use v4 or v7 — no node field at all.
Theoretically yes, practically no for random versions. v4 has 2¹²² possible values — you'd need to generate roughly 2.7 × 10¹⁸ UUIDs to have a 50% chance of a single collision (birthday problem). v7 has 74 random bits per millisecond, meaning you'd need ~5.4 billion generations in the same millisecond before collision becomes likely. Real systems have never observed v4 or v7 collisions. Only v3/v5 can collide in practice, and only if the same namespace + name is hashed twice.
Binary (16 bytes) is much more space-efficient than strings (36 bytes) and uses indexes more efficiently. Postgres has a native uuid type that stores binary. MySQL 8+ has BINARY(16) or UUID_TO_BIN(). SQL Server has uniqueidentifier. For v7 specifically, make sure your database preserves byte order so the time-ordered property survives storage and sorting.
Both are valid and represent the same value. RFC 9562 recommends lowercase but requires parsers to accept both. Stick to one style within a codebase for consistency. Postgres stores them in lowercase by default; .NET/Microsoft code often uses uppercase.
UUID stands for 'Universally Unique Identifier'. It's a 128-bit value formatted as 32 hexadecimal digits grouped as 8-4-4-4-12 with hyphens (like 550e8400-e29b-41d4-a716-446655440000). The format is defined by RFC 9562 (and previously RFC 4122).
A UUID is 128 bits = 16 bytes. In its canonical string form it's 36 characters (32 hex digits + 4 hyphens). Without hyphens it's 32 characters. Stored as binary in a database it takes only 16 bytes, which is half the space of the 36-char string form.
Yes — they're the same 128-bit format. GUID (Globally Unique Identifier) is Microsoft's name for it; UUID (Universally Unique Identifier) is the RFC/ISO name. Any UUID is a valid GUID and vice versa, though Microsoft code sometimes displays them with uppercase letters or in a mixed-endian byte order internally.
The UUID space has 2¹²⁸ possible values — that's 340,282,366,920,938,463,463,374,607,431,768,211,456 combinations. Each version reserves some bits for version and variant, but v4 still has 2¹²² random values available — more than enough for any practical system.
Only for certain versions. v7 sorts perfectly by creation time as both binary and string (it was designed for this). v6 also sorts correctly after its byte reordering. v1 does NOT sort by time — the timestamp fields are interleaved in a way that breaks lexicographic order. v4, v3, v5, v8 are not time-based and have no meaningful ordering.
Use a regex or your language's built-in UUID parser. In JavaScript: /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/.test(str). In Python: try uuid.UUID(str) — it raises ValueError if invalid. Our built-in Inspector above is also a free validator: paste any string and it'll tell you.
Astronomically low. With 2¹²² random values, the birthday paradox gives roughly a 50% chance of a collision after generating 2.71 × 10¹⁸ UUIDs. That's 2.7 quintillion. At 1 billion UUIDs per second, you'd need 85 years to hit 50%. For any practical application, treat collisions as impossible.
Yes — the first 48 bits of a v7 UUID are milliseconds since the Unix epoch. Take the first 12 hex characters (removing hyphens), parse as integer, that's your Unix milliseconds. The Inspector above does this automatically for any v1, v6, or v7 UUID.
Use v7. v7 is nearly always better for database primary keys because its time-ordered structure keeps B-tree indexes healthy and inserts cheap. v4 is fine for secondary identifiers or anywhere you want to hide creation time, but in 2025+ there's no reason to pick v4 for a new primary key column.
They're functionally almost identical — both are 128-bit time-ordered IDs with a ~48-bit ms timestamp and ~80 bits of randomness. The differences: (1) encoding — UUID v7 uses hex with hyphens (36 chars), ULID uses Crockford Base32 (26 chars); (2) ecosystem — UUID is universally supported, ULID is niche; (3) variant/version bits — UUID v7 carves out 6 bits for RFC compliance, ULID doesn't. Prefer v7 for new systems due to universal tooling support.
Yes. It's a standardized browser/Node API that uses the underlying cryptographic random generator (the same one that powers WebCrypto and SubtleCrypto). It was added to WHATWG HTML spec in 2021 and has been available in Node 14.17+, Chrome 92+, Safari 15.4+, Firefox 95+.
No — they encode fundamentally different information. v4 is pure randomness; v7 has a timestamp baked in. You can't extract a timestamp from v4 that wasn't there, and you can't regenerate the exact same v7 without knowing the original timestamp. If you want to migrate, you have to generate fresh IDs.
No timezone — v7 stores milliseconds since Unix epoch (UTC, by definition). When you decode it, interpret it as UTC and convert to your local timezone for display. Timezone information is never part of the UUID.
It doesn't — v1 UUIDs have a 1 in the 13th position (first character of the 3rd group). If you're seeing a 4, that's a v4 UUID. The digit at position 13 (the 'M' in xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx) always reflects the version number.
JSON has no native UUID type — they're serialized as strings. Most languages automatically quote UUIDs when encoding to JSON and parse them back to their UUID type on the way in. Example: { "id": "550e8400-e29b-41d4-a716-446655440000" }. The canonical form (with hyphens, lowercase) is standard for JSON APIs.
For non-security-critical session identifiers, yes — a v4 UUID provides 122 bits of entropy, far exceeding the 64-bit minimum recommended for session IDs. For stronger security, use a longer opaque random token (256 bits) or a signed JWT. Never use v1/v6/v7 for session tokens because their timestamps reveal session-start time.
The canonical UUID format uses hex digits and hyphens only, all of which are URL-safe (they don't need percent-encoding). You can drop UUIDs directly into URL paths and query strings without issue. The 36-char length is the only drawback for user-facing URLs.
No. RFC 9562 (2024) defines v1 through v8 and doesn't reserve numbers above v8. Any future UUID versions would need a new RFC. In practice v4 and v7 cover nearly all use cases, so demand for new versions is low.