How to Generate a UUID (v4) — and When You Actually Need One

Q: How do I generate a UUID in code?

Use `crypto.randomUUID()` in modern browsers and Node, or `uuidgen` on the macOS/Linux command line. Both give you a proper random v4 UUID.

2026-06-12

Short answer: A UUID (also called a GUID) is a 128-bit identifier that's globally unique without any central coordinator. The most common flavour is v4 — 122 random bits, so two independently generated ones colliding is effectively impossible. Hit the UUID generator to get one, or batch out a few hundred, all in your browser. Like everything here, it runs locally using the browser's crypto API, so the values you generate aren't logged anywhere.

Generating UUIDs

Open the UUID generator.
Get a single v4 UUID, or set a count to generate many at once.
Copy one, or copy the whole list for seeding a database or test fixtures.

A v4 UUID looks like f47ac10b-58cc-4372-a567-0e02b2c3d479 — the 4 in the third group marks the version. If you'd rather stay on the command line:

macOS / Linux: uuidgen
Node or browser JS: crypto.randomUUID()

crypto.randomUUID() is built into modern browsers and Node 16+, uses a cryptographically strong RNG, and is the right call inside application code. The browser tool is for when you just need a value to paste somewhere now.

When you actually need a UUID

Good uses:

Primary keys. Generate the ID client-side before insert, no round-trip to the database for an auto-increment value. Also lets you merge datasets without key collisions.
Idempotency keys. Send a UUID with an API request so retries don't double-charge or double-create.
File and object names. Avoids collisions when many uploads land in the same bucket.
Correlation/trace IDs across logs and services.

When NOT to use one

This is where people trip up. A v4 UUID is random, but it is not a secret:

Don't use it as a security token, session ID, or password-reset token. It's generated to be unique, not unguessable in a security sense, and it often leaks in URLs and logs. Use a purpose-built secret instead — see the password generator for high-entropy strings, or generate a token with a CSPRNG of proper length.
Don't use it as a human-facing short code. Nobody wants to read f47ac10b-… over the phone. For short, friendly codes use a dedicated short-ID scheme.
Don't hash a UUID expecting it to become a secret. If the input space is predictable, the hash generator won't save you — hashing a guessable value gives a guessable result.

On collisions: with 122 random bits you'd need to generate billions of UUIDs per second for many years before a collision became remotely likely. In practice, treat v4 as unique and move on.

FAQ

Is UUID v4 truly unique? Effectively, yes. It has 122 random bits (about 5.3×10³⁶ possibilities). You'd have to generate an astronomical number before a collision was plausible, so v4 is treated as unique in practice.

What's the difference between a UUID and a GUID? None meaningful — GUID is Microsoft's name for the same thing. The format and the 128-bit size are identical.

Can I use a UUID as a session token or API secret? No. A UUID is built to be unique, not to be a secret, and it commonly appears in logs and URLs. Use a dedicated cryptographic token of adequate length instead.

How do I generate a UUID in code? Use crypto.randomUUID() in modern browsers and Node, or uuidgen on the macOS/Linux command line. Both give you a proper random v4 UUID.

— Milo 🐨