Are UUIDs case-sensitive?

No. RFC 4122 states that UUIDs should be output as lowercase but must be accepted as case-insensitive.

Can I use a UUID as a security token?

UUIDv4 uses cryptographically secure random numbers and is safe to use where unpredictability matters. Versions with timestamps (v1, v7) are partially predictable and should not be used as security tokens.

How much storage does a UUID need?

16 bytes when stored as binary. 36 bytes as a string (32 hex digits + 4 hyphens). Most databases have a native UUID type that stores it as 16 bytes internally.

Why not just use auto-incrementing integers?

Auto-incrementing IDs require a central coordinator (like a database sequence), leak information about your record count and creation order, and cause conflicts when merging data from multiple sources. UUIDs avoid all of these problems at the cost of being larger.

What is the Nil UUID?

The Nil UUID (00000000-0000-0000-0000-000000000000) is a special value that represents 'no UUID' or an uninitialized value. It is sometimes used as a default or placeholder.

What is a UUID? Definition, Format, Versions & Examples

Definition

A UUID (Universally Unique Identifier) is a 128-bit identifier standardized by the Open Software Foundation (OSF) and defined in RFC 4122 and later updated in RFC 9562. UUIDs are designed to be unique across space and time without requiring a central authority to coordinate their generation.

The term GUID (Globally Unique Identifier) is sometimes used interchangeably with UUID. "GUID" originated from Microsoft, while "UUID" is the standard term used in the RFCs. They refer to the same thing.

Format

A UUID is represented as 32 hexadecimal digits grouped into five sections separated by hyphens:

xxxxxxxx-xxxx-Vxxx-Yxxx-xxxxxxxxxxxx

time / random version variant random / node

The total is 36 characters (32 hex digits + 4 hyphens). The five groups have lengths of 8-4-4-4-12, corresponding to the time_low, time_mid, time_hi_and_version, clock_seq_hi_and_variant + clock_seq_low, and node fields.

The Version Field

The 13th hex digit (position 15 in the string, after the second hyphen) indicates the UUID version. It determines how the UUID was generated:

UUID versions, their names, RFCs, and generation methods
Version	Name	RFC	Generation Method
v1	Timestamp	4122	Current time + MAC address of the host
v2	DCE Security	4122	Timestamp + MAC address + local domain ID
v3	MD5 Hash	4122	MD5 hash of a namespace + name
v4	Random	4122	Cryptographically secure random numbers
v5	SHA-1 Hash	4122	SHA-1 hash of a namespace + name
v6	Reordered Timestamp	9562	v1 timestamp reordered for lexicographic sortability
v7	Unix Epoch Timestamp	9562	Unix timestamp in ms + cryptographic random bits
v8	Custom	9562	Vendor-specific or application-defined format

The Variant Field

The 17th hex digit (the first character of the fourth group) encodes the variant, which identifies which UUID specification the ID conforms to:

UUID variant field values and their meanings
Hex Value	Variant	Description
0-7	0	Reserved (Apollo NCS backward compatibility)
8, 9, a, b	1	RFC 4122 / RFC 9562 (the standard)
c, d	2	Reserved (Microsoft GUID backward compatibility)
e, f	3	Reserved for future use

Nearly all UUIDs you encounter will be variant 1 (hex digit 8, 9, a, or b), which is the RFC 4122 standard used by all modern UUID generators.

128-Bit Layout

Under the hood, a UUID is a 128-bit (16-byte) value divided into named fields:

UUID field layout showing name, bits, and byte positions
Field	Bits	Hex Chars	Description
time_low	32	8	Low 32 bits of timestamp (or random)
time_mid	16	4	Middle 16 bits of timestamp (or random)
time_hi_and_version	16	4	4-bit version + 12 bits of timestamp (or random)
clock_seq_hi_and_variant	8	2	2-3 bit variant + 5-6 bits of clock sequence
clock_seq_low	8	2	Low 8 bits of clock sequence
node	48	12	Node ID, typically MAC address (or random)

The field names come from UUIDv1's original timestamp-based design. In versions like v4 and v7, most of these fields are repurposed for random data or a Unix timestamp, but the version and variant bits always occupy the same positions.

Special UUIDs

Special UUID values defined in the specification
Name	Value	Use
Nil UUID	00000000-0000-0000-0000-000000000000	Represents an empty or unset UUID
Max UUID	ffffffff-ffff-ffff-ffff-ffffffffffff	Maximum possible UUID value (RFC 9562)

Which Version Should I Use?

I need a random, unique ID: Use UUIDv4. It's the most widely supported and requires no coordination between systems.
I need IDs that sort by creation time: Use UUIDv7. The embedded timestamp means later IDs always sort after earlier ones, which is great for database indexes.
I need the same ID for the same input every time: Use UUIDv5. Given the same namespace and name, it always produces the same UUID.
I need something shorter than a UUID: Consider ULID (26 chars, sortable), Nano ID (21 chars, random), or CUID2 (24 chars, collision-resistant).
I'm working with a legacy system that uses v1: Use UUIDv1 for compatibility. For new projects, v7 is the modern replacement for time-based UUIDs.

Common Use Cases

Database primary keys: UUIDs can be generated on any node without a central sequence, avoiding bottlenecks in distributed databases.
API request IDs: Attach a UUID to each request for tracing through microservices.
Session tokens: Use random UUIDs (v4) as session identifiers.
File and resource naming: Generate unique filenames for uploads without collision risk.
Idempotency keys: Include a UUID with write requests so servers can detect and deduplicate retries.
Event sourcing: Assign each event a UUID for ordering and deduplication in event-driven architectures.

Collision Probability

UUIDv4 has 122 random bits, giving 2¹²² (roughly 5.3 × 10³⁶) possible values. To have a 50% probability of at least one collision, you would need to generate approximately 2.71 × 10¹⁸ (2.71 quintillion) UUIDs.

To put that in perspective: if you generated one billion UUIDs per second, it would take about 86 years to reach a 50% collision chance. For all practical purposes, UUIDv4 collisions do not happen.

UUIDv7 has fewer random bits (74) because 48 bits are used for the timestamp. Within a single millisecond, collision probability is higher than v4, but still negligible for most workloads. Across different milliseconds, collisions are impossible because the timestamps differ.

Frequently Asked Questions

Are UUIDs case-sensitive?: No. RFC 4122 states that UUIDs should be output as lowercase but must be accepted as case-insensitive. 550e8400-E29b-41D4-A716-446655440000 is valid.
Can I use a UUID as a security token?: UUIDv4 uses cryptographically secure random numbers and is safe to use where unpredictability matters. Versions with timestamps (v1, v7) are partially predictable and should not be used as security tokens.
How much storage does a UUID need?: 16 bytes when stored as binary. 36 bytes as a string (32 hex digits + 4 hyphens). Most databases have a native UUID type that stores it as 16 bytes internally.
Why not just use auto-incrementing integers?: Auto-incrementing IDs require a central coordinator (like a database sequence), leak information about your record count and creation order, and cause conflicts when merging data from multiple sources. UUIDs avoid all of these problems at the cost of being larger.
What is the Nil UUID?: The Nil UUID (00000000-0000-0000-0000-000000000000) is a special value that represents "no UUID" or an uninitialized value. It is sometimes used as a default or placeholder.