๐ Passwords & Secrets
What Is a UUID? v4 vs v7 Explained
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 UUIDs are everywhere โ database keys, request IDs, file names โ but they're often used without much thought about which kind to pick. The choice between v4 and v7 actually matters for performance. Here's what you need to know.
What is a UUID?
A UUID (Universally Unique Identifier), also called a GUID, is a 128-bit value usually
written as 32 hex digits in the pattern
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Its purpose is to let any system
generate an identifier without coordinating with anything else, and be
confident it won't clash with one generated elsewhere. That property makes UUIDs ideal
for distributed systems, where a central counter would be a bottleneck.
Are collisions a real risk?
In practice, no. A random (v4) UUID has 122 bits of randomness. You would need to generate on the order of a billion billion UUIDs before a collision became even remotely likely โ far more than any real system produces. You can safely treat them as unique. (Note: "unique" is not the same as "unguessable" โ see below.)
UUID v4: random
Version 4 is the one most people know: almost entirely random. It's simple, unpredictable, and great as a general-purpose identifier. Its one weakness shows up when you use it as a database primary key: because the values are scattered randomly, new rows insert at random points in the index, which fragments it and hurts write performance on large tables.
UUID v7: time-ordered
Version 7 (standardised in RFC 9562) fixes that. It puts a millisecond timestamp in the high bits, so v7 UUIDs generated later sort after earlier ones. They're still globally unique and unpredictable in their random portion, but because they're roughly ordered, they insert neatly at the end of a database index โ keeping it compact and writes fast. For new primary keys, v7 is increasingly the recommended choice.
Rule of thumb: use v7 for database keys where insert order and index performance matter, and v4 when you just want a random identifier with no embedded timestamp.
A UUID is not a secret
One important caveat: UUIDs are designed to be unique, not unguessable in the security sense. Don't use one as a password, session token or access key โ for that you want explicit, high-entropy randomness from a dedicated API key generator. A v7 UUID in particular leaks its creation time, which is fine for an ID but not for a secret.
UUID vs GUID
They're the same thing. GUID (Globally Unique Identifier) is Microsoft's name for a UUID; both are 128-bit identifiers in the same format. Don't let the two terms confuse you.
Try it
Generate v4 or v7 UUIDs in bulk with our UUID generator and compare how v7's leading timestamp keeps a batch in order. For secrets rather than identifiers, use the API key generator.
Frequently asked questions
What's the difference between a UUID and a GUID?
They're the same thing. GUID is Microsoft's name for a UUID. Both are 128-bit identifiers written in the same format.
Should I use UUID v4 or v7 for a database key?
Prefer v7 for new primary keys. Its time-ordered prefix keeps indexes compact and writes fast, while staying globally unique. Use v4 when you want a non-ordered random ID.
Can I use a UUID as a security token?
Not ideally. UUIDs are designed to be unique, not unguessable, and v7 even leaks its creation time. Use a dedicated high-entropy API key for tokens and secrets.
Try the related tools
- UUID Generator (v4 & v7) Generate random v4 UUIDs or time-ordered v7 UUIDs in bulk, ready to copy.
- API Key & Secret Generator Generate cryptographically secure API keys and secrets in hex, Base64url or alphanumeric.
- Unix Timestamp Converter Convert Unix/epoch timestamps to human-readable dates and back โ seconds or milliseconds.
Related guides
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong โ entropy, length, uniqueness โ and the simple system that beats memorising rules.
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast โ which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.
- What Is HTTP Basic Authentication? The simplest way to password-protect a page โ and its big caveat. How Basic Auth works, why HTTPS is mandatory, and where it fits.