What is a UUID Version 4?
UUID Version 4 is a randomly generated universally unique identifier. Of its 128 bits, 122 are filled with cryptographically secure random data — only 6 bits are predetermined: 4 bits for the version field (0100, indicating version 4) and 2 bits for the variant field (10, indicating RFC 9562 compliance). This makes UUID v4 the simplest UUID version to generate and the most widely deployed across the software industry.
The simplicity of UUID v4 is its greatest strength. Unlike v1 (which requires a clock and node ID) or v7 (which requires a synchronized timestamp), v4 needs only a good source of randomness. Any device, on any network, at any time, can generate a UUID v4 without coordination, registration, or shared state.
How UUID v4 is Generated
The generation algorithm for UUID v4 is straightforward:
- Generate 128 random bits — This generator uses
crypto.getRandomValues(), which taps into the operating system's cryptographic random number generator (CSPRNG). This is fundamentally different fromMath.random(), which uses a pseudo-random algorithm that is predictable and unsuitable for identifiers. - Set the version nibble — Byte 6 is masked: the upper 4 bits are replaced with
0100(decimal 4). This marks the UUID as version 4 regardless of what random value occupied those bits. - Set the variant bits — Byte 8 is masked: the upper 2 bits are set to
10. This marks the UUID as an RFC 9562 variant, distinguishing it from Microsoft GUIDs (variant110) and reserved formats.
The result is a 128-bit value with 122 bits of entropy — enough randomness to make collisions effectively impossible in any practical scenario.
Collision Probability
The mathematics of UUID v4 collision probability follow the birthday problem. With 122 random bits, the UUID space contains 2122 (approximately 5.3 × 1036) possible values. Key collision thresholds:
- 1 billion UUIDs: collision probability ≈ 10-19 (essentially zero)
- 1 trillion UUIDs: collision probability ≈ 10-13 (still negligible)
- 2.71 × 1018 UUIDs: 50% collision probability (the birthday bound)
To put this in perspective: if every person on Earth generated 1 million UUID v4 values per second, it would take approximately 100 years to reach a 50% chance of a single collision. For all practical purposes, UUID v4 is collision-free.
UUID v4 Structure
| Field | Bits | Content |
|---|---|---|
| random_a | 0–47 | 48 random bits |
| ver | 48–51 | 0100 (version 4) |
| random_b | 52–63 | 12 random bits |
| var | 64–65 | 10 (RFC 9562 variant) |
| random_c | 66–127 | 62 random bits |
You can identify a UUID v4 by looking at the third group: the first character is always 4. The first character of the fourth group is always 8, 9, a, or b (the variant indicator).
When to Use UUID v4
UUID v4 is the right choice for most applications:
- API identifiers — Resource IDs in REST and GraphQL APIs where privacy and simplicity matter more than sortability.
- Session tokens and correlation IDs — When you need a unique, unguessable identifier that reveals nothing about the user or system.
- Distributed systems without coordination — Microservices that need to generate IDs independently without a shared sequence or database.
- Event sourcing and message queues — Unique event identifiers where order is determined by separate timestamps, not the ID itself.
Consider UUID v7 instead when database index performance matters (v4's randomness causes B-tree fragmentation) or when you need time-ordered identifiers. Consider UUID v1 when you need to embed and later extract creation timestamps.
Frequently Asked Questions
What is a UUID Version 4?
A UUID Version 4 is a randomly generated universally unique identifier. It uses 122 bits of cryptographically secure random data, with 6 bits reserved for the version (0100) and variant (10) fields. It is the most widely used UUID version across the software industry.
What is the probability of a UUID v4 collision?
With 122 random bits, you would need to generate approximately 2.71 quintillion (2.71 × 1018) UUIDs to have a 50% chance of a single collision. For practical purposes, UUID v4 collisions are considered impossible. Generating a billion UUIDs gives a collision probability of about 10-19.
Is UUID v4 cryptographically secure?
UUID v4 generated with crypto.getRandomValues() (as in this tool) uses the operating system's cryptographic random number generator, making the output suitable for security-sensitive applications. UUIDs generated with Math.random() are NOT cryptographically secure and should never be used for security purposes.
Why is UUID v4 the most popular version?
UUID v4 is popular because it is simple to implement (just random bytes + version/variant bits), requires no coordination between generators, preserves complete privacy (no timestamp or machine information), and has virtually zero collision risk. It is the default choice for APIs, session tokens, and general-purpose identifiers.
Should I use UUID v4 or v7 for database primary keys?
For database primary keys, UUID v7 is generally preferred because its time-ordered structure results in sequential index writes, reducing B-tree page splits and fragmentation. UUID v4's fully random nature causes scattered inserts that degrade write performance on large tables, particularly with clustered indexes in PostgreSQL, MySQL, and SQL Server.