Skip to content
ToolMint
Back to blog

How to Generate a UUID Online — UUID v4 Generator

April 12, 202611 min read

What Is a UUID?

A UUID (Universally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. The standard representation is a 32-character hexadecimal string split into five groups by hyphens:

550e8400-e29b-41d4-a716-446655440000

The format is always 8-4-4-4-12 characters — 8 hex characters, a hyphen, 4, a hyphen, 4, a hyphen, 4, a hyphen, 12. UUIDs are case-insensitive; 550E8400-E29B-41D4-A716-446655440000 is the same as 550e8400-e29b-41d4-a716-446655440000.

The probability of generating two identical UUIDs is vanishingly small — for UUIDv4, the collision probability is approximately 1 in 5.3 × 10^36. In practice, you can generate UUIDs in distributed systems without coordination between nodes and rely on uniqueness.

UUID Versions: v1, v4, v5, v7

There are several UUID versions, each generated differently and suited to different use cases.

UUID v1 — Time-Based

UUID v1 encodes the current timestamp plus the MAC address of the machine generating it. The result is sortable by creation time and unique per machine.

The problem is privacy: because v1 UUIDs encode the MAC address, they can be used to trace which machine generated a specific identifier. This is why v1 UUIDs fell out of favor for user-facing systems. You may still encounter them in older distributed databases.

UUID v4 — Random

UUID v4 is generated entirely from random or pseudo-random data. The only structure is the version bits (the first digit of the third group is always 4) and the variant bits (the first digit of the fourth group is 8, 9, a, or b).

This is the most widely used UUID version for application development because:

  • No coordination between systems is needed
  • No machine-identifying information is leaked
  • Generation is fast with a cryptographically secure random number generator
  • Every language and platform has built-in support

UUID v5 — Name-Based (SHA-1)

UUID v5 generates a deterministic UUID from a namespace UUID and a name string using SHA-1 hashing. Given the same inputs, you always get the same UUID. This is useful when you need a stable identifier for a specific piece of data (a URL, an email address, a product SKU) that does not change over time.

UUID v7 — Time-Ordered Random

UUID v7 is a newer standard that combines a Unix timestamp prefix with random data. The result is sortable by creation time (like v1) but without exposing machine identity (like v4). UUID v7 is increasingly popular for database primary keys because the time ordering improves index locality — inserts naturally go to the end of B-tree indexes rather than scattering randomly. Support in databases and ORMs is growing but not yet universal.

ToolMint's UUID generator produces UUID v4 — the standard choice for most development workflows.

Why Developers Use UUIDs

Database Primary Keys

The most common use case for UUIDs is as primary keys in relational databases. The traditional approach uses auto-incrementing integers: 1, 2, 3, 4... UUID primary keys offer several advantages:

  • No coordination needed. Multiple application instances, microservices, or mobile clients can generate IDs independently without querying a central counter. This is essential for distributed systems and offline-first applications.
  • IDs are not guessable. An auto-increment ID of 1234 tells an attacker there are at least 1234 rows and that row 1235 probably exists. A UUID reveals nothing.
  • IDs are safe to expose. You can use the UUID directly in URLs (/orders/550e8400-e29b-41d4-a716-446655440000) without leaking business metrics.

The tradeoff is index performance: random UUID v4 values scatter across B-tree indexes, causing more page splits and cache misses than sequential integers. For high-write-volume tables, UUID v7 or ULID (discussed below) addresses this.

Session and Token Identifiers

Session IDs, CSRF tokens, password reset tokens, email verification tokens, and API keys are all cases where you need a large unpredictable identifier that cannot be guessed. A cryptographically random UUID v4 is appropriate for all of these. The 122 bits of randomness (128 bits minus the fixed version and variant bits) make brute-force guessing infeasible.

File and Asset Naming

When users upload files, storing them under the original filename creates problems: collisions, path traversal risks, and information exposure. Renaming uploaded files to UUIDs solves all three:

  • 550e8400-e29b-41d4-a716-446655440000.jpg cannot collide with another file
  • The name reveals nothing about the content
  • The path cannot be traversed using ../ tricks because the name contains only hex characters and hyphens

API Idempotency Keys

REST and gRPC APIs that perform mutations (creating a payment, sending an email, provisioning a resource) often accept an idempotency key — a client-generated identifier that the server uses to deduplicate repeated requests. If your network request times out and you retry, the same idempotency key ensures the server only processes the action once.

UUID v4 is the standard format for idempotency keys because it is unique per request, easy to generate client-side, and widely recognized by API providers (Stripe, Twilio, and most payment processors use this pattern).

Correlation IDs for Distributed Tracing

In microservice architectures, a single user action may trigger dozens of internal service calls across multiple systems. Attaching a UUID to the original request and propagating it through every downstream call (as an X-Request-ID or trace-id header) lets you correlate all related log entries across services. When a bug report comes in, you search your log aggregator for that UUID and see the complete trace.

Message Queue Deduplication

Message queues like SQS, Kafka, and RabbitMQ can deliver messages more than once under failure conditions. Attaching a UUID to each message and tracking processed UUIDs in a deduplication store lets consumers detect and discard duplicate messages without reprocessing.

How ToolMint's UUID Generator Works

ToolMint's UUID generator runs entirely in your browser. UUID v4 generation uses the Web Crypto API's crypto.getRandomValues() function, which provides cryptographically secure random bytes. No request is made to any server. Your generated UUIDs are never transmitted, logged, or stored.

This is the correct approach — UUID generation is trivially doable in JavaScript, and there is no reason to send a network request to generate a random identifier.

Step-by-Step: How to Generate a UUID

Step 1: Open the UUID Generator

Go to toolmint.app/studio/text and select the UUID Generator tool.

Step 2: Choose Your Format Options

With hyphens (standard): 550e8400-e29b-41d4-a716-446655440000 Use this for most applications. This is the canonical UUID format defined by RFC 4122 and accepted by virtually every system that works with UUIDs.

Without hyphens (compact): 550e8400e29b41d4a716446655440000 Used in some systems that expect raw hex strings, certain database schemas, or APIs that do not accept the hyphenated format. The value is identical — only the formatting differs.

Uppercase: 550E8400-E29B-41D4-A716-446655440000 Some legacy systems or style guides require uppercase hex. UUID comparison is always case-insensitive, so uppercase and lowercase UUIDs with the same hex digits are identical.

Step 3: Set the Quantity

If you need multiple UUIDs — for populating test data, seeding a database, or generating a batch of tokens — set the quantity field. The generator produces up to however many you need instantly.

Step 4: Copy and Use

Click the copy button to copy a single UUID to your clipboard, or copy all generated UUIDs as a list for bulk use.

UUID Formats in Practice

Different contexts expect different UUID formats. Here is a quick reference:

SQL databases (PostgreSQL, MySQL): PostgreSQL has a native UUID column type that accepts the standard hyphenated format. MySQL can store UUIDs as CHAR(36) (hyphenated) or BINARY(16) (raw bytes, more efficient). MariaDB has a similar UUID function.

JavaScript / TypeScript:

// Built-in (Node.js 14.17+, modern browsers)
const uuid = crypto.randomUUID(); // Returns standard hyphenated format

// Output: "550e8400-e29b-41d4-a716-446655440000"

Python:

import uuid
uuid.uuid4()  # uuid.UUID('550e8400-e29b-41d4-a716-446655440000')
str(uuid.uuid4())  # '550e8400-e29b-41d4-a716-446655440000'
uuid.uuid4().hex  # '550e8400e29b41d4a716446655440000' (no hyphens)

Go:

// Using google/uuid package
id := uuid.New()
fmt.Println(id.String()) // "550e8400-e29b-41d4-a716-446655440000"

Alternatives to UUID v4

UUID v4 is the default choice, but these alternatives are worth knowing.

ULID (Universally Unique Lexicographically Sortable Identifier)

ULIDs encode a 48-bit millisecond timestamp followed by 80 bits of randomness, represented in Crockford's Base32:

01ARZ3NDEKTSV4RRFFQ69G5FAV

The key advantage over UUID v4 is lexicographic sortability: ULIDs generated in sequence sort correctly as strings. This gives you the distributed generation benefit of UUIDs with the B-tree index friendliness of auto-increment integers. If you are using UUIDs as database primary keys and performance is a concern on large tables, ULID is worth evaluating.

The downside is slightly less universal support compared to UUID, though libraries exist for most languages.

nanoid

nanoid generates short random IDs using a URL-safe alphabet:

V1StGXR8_Z5jdHi6B-myT

Default length is 21 characters, compared to UUID's 36. The collision probability is comparable to UUID v4 at 21 characters. nanoid is popular in JavaScript ecosystems (it is used by PostCSS, Prisma, and others) because the shorter length is convenient for URLs and display contexts.

Unlike UUID, nanoid has no standardized format — different implementations may use different alphabets or lengths. This limits interoperability with systems that explicitly expect UUID format.

Auto-Increment Integers

Sequential integers (1, 2, 3) remain the right choice for many applications:

  • Simpler queries and joins
  • Smaller storage footprint (4 or 8 bytes vs. 16 bytes)
  • Better cache performance in B-tree indexes
  • Human-readable and debuggable

Use auto-increment integers when you do not need distributed generation, are not concerned about ID guessability, and are building a simple single-database application. Use UUIDs when you need any of the distributed, privacy, or collision-avoidance properties described above.

Tips for Using UUIDs

  • Use the native UUID type in your database. PostgreSQL's UUID type stores 16 bytes and provides index-optimized comparison. Storing UUIDs as VARCHAR(36) wastes space and slows index operations.
  • Generate on the client when possible. Letting the application layer generate UUIDs (rather than the database) enables optimistic UI updates — you can display the new record's ID immediately without waiting for a database round-trip.
  • Do not parse UUIDs manually. Use library functions (uuid.parse(), uuid.UUID()) rather than splitting on hyphens and extracting components. The library handles edge cases, uppercase normalization, and validation.
  • Validate UUID format on input. If your API accepts a UUID parameter, validate it matches the UUID pattern before using it in a query. This prevents injection attacks and provides better error messages than a database constraint violation.
  • UUID v4 is not a secret. UUIDs are unique but not secret. Do not use a UUID as a password, a signing key, or a cryptographic secret. Use a proper CSPRNG with at least 256 bits for security-critical values.

FAQ

Are UUIDs generated by ToolMint truly random?

Yes. ToolMint uses the browser's crypto.getRandomValues() API, which provides cryptographically secure random bytes. These are equivalent to UUIDs generated by Node.js's crypto.randomUUID() or Python's uuid.uuid4(). ToolMint never transmits your generated UUIDs to any server.

Can two different UUID v4s ever be the same?

Theoretically yes, practically no. The probability of a collision between two randomly generated UUID v4s is approximately 1 in 5.3 × 10^36. If you generated one billion UUIDs per second for the lifetime of the universe, you would still be extraordinarily unlikely to see a collision. UUID uniqueness can be treated as a guarantee for all practical purposes.

Should I use UUID as a database primary key?

It depends. UUID primary keys enable distributed ID generation and prevent ID guessability at the cost of index performance (UUID v4's randomness causes B-tree fragmentation). For small-to-medium tables or applications that prioritize the uniqueness and privacy benefits, UUIDs as primary keys work well. For high-write-volume tables where B-tree performance matters, use UUID v7 or ULID, which are time-ordered and index-friendly.

What is the difference between UUID v4 and UUID v7?

Both use random data for uniqueness, but UUID v7 also encodes a Unix millisecond timestamp at the start of the identifier. This makes UUID v7 values sortable in insertion order, which improves database index performance. UUID v4 is entirely random with no timestamp. If you are choosing for a new project and your database supports UUID v7, it is generally the better choice for primary keys.

Is UUID the same as GUID?

Yes. GUID (Globally Unique Identifier) is Microsoft's term for the same concept, used in .NET, COM, and SQL Server. The format and structure are identical to UUID. When a .NET developer says GUID and a backend developer says UUID, they mean the same thing.

How do I generate a UUID in code without a tool?

Every major language has built-in or standard library support:

  • JavaScript/Node.js: crypto.randomUUID() (built-in, no package needed)
  • Python: import uuid; uuid.uuid4()
  • Java: java.util.UUID.randomUUID()
  • Go: github.com/google/uuid package, uuid.New()
  • Rust: uuid crate with the v4 feature
  • PHP: Str::uuid() in Laravel, or ramsey/uuid package
  • Ruby: SecureRandom.uuid