What is a UUID Version 4?
UUID Version 4 is a randomly generated universally unique identifier. Of its 128 bits, 122 are filled with cryptographically secure random data — only 6 bits are predetermined: 4 bits for the version field (0100, indicating version 4) and 2 bits for the variant field (10, indicating RFC 9562 compliance). This makes UUID v4 the simplest UUID version to generate and the most widely deployed across the software industry.
The simplicity of UUID v4 is its greatest strength. Unlike v1 (which requires a clock and node ID) or v7 (which requires a synchronized timestamp), v4 needs only a good source of randomness. Any device, on any network, at any time, can generate a UUID v4 without coordination, registration, or shared state.
How UUID v4 is Generated
The generation algorithm for UUID v4 is straightforward:
- Generate 128 random bits — This generator uses
crypto.getRandomValues(), which taps into the operating system's cryptographic random number generator (CSPRNG). - Set the version nibble — Byte 6 is masked: the upper 4 bits are replaced with
0100(decimal 4). - Set the variant bits — Byte 8 is masked: the upper 2 bits are set to
10.
The result is a 128-bit value with 122 bits of entropy — enough randomness to make collisions effectively impossible in any practical scenario.
Collision Probability
The mathematics of UUID v4 collision probability follow the birthday problem. With 122 random bits, the UUID space contains 2122 (approximately 5.3 × 1036) possible values. Key collision thresholds:
- 1 billion UUIDs: collision probability ≈ 10-19 (essentially zero)
- 1 trillion UUIDs: collision probability ≈ 10-13 (still negligible)
- 2.71 × 1018 UUIDs: 50% collision probability (the birthday bound)
UUID v4 Structure
| Field | Bits | Content |
|---|---|---|
| random_a | 0–47 | 48 random bits |
| ver | 48–51 | 0100 (version 4) |
| random_b | 52–63 | 12 random bits |
| var | 64–65 | 10 (RFC 9562 variant) |
| random_c | 66–127 | 62 random bits |
When to Use UUID v4
- API identifiers — Resource IDs in REST and GraphQL APIs where privacy and simplicity matter more than sortability.
- Session tokens and correlation IDs — When you need a unique, unguessable identifier that reveals nothing about the user or system.
- Distributed systems without coordination — Microservices that need to generate IDs independently without a shared sequence or database.
- Event sourcing and message queues — Unique event identifiers where order is determined by separate timestamps, not the ID itself.
Frequently Asked Questions
What is a UUID Version 4?
A UUID Version 4 is a randomly generated universally unique identifier. It uses 122 bits of cryptographically secure random data, with 6 bits reserved for the version (0100) and variant (10) fields.
What is the probability of a UUID v4 collision?
With 122 random bits, you would need to generate approximately 2.71 quintillion (2.71 × 1018) UUIDs to have a 50% chance of a single collision.
Is UUID v4 cryptographically secure?
UUID v4 generated with crypto.getRandomValues() (as in this tool) uses the operating system's cryptographic random number generator, making the output suitable for security-sensitive applications.
Should I use UUID v4 or v7 for database primary keys?
For database primary keys, UUID v7 is generally preferred because its time-ordered structure results in sequential index writes, reducing B-tree page splits and fragmentation.