Developer

Are UUIDs Really Unique?

Dev Nexus4 min read

In practice UUIDs never collide - here is the math behind why, and the one thing people get wrong: a UUID is an identifier, not a secret.

The word "universally unique" invites a fair question: is a UUID actually guaranteed to be one of a kind? The honest answer is that nothing is mathematically guaranteed - but the odds of a collision are so small that, for any real system, you can treat UUIDs as unique.

This post explains where that confidence comes from, runs the numbers on vundefined collisions, and clears up a common misconception about what a UUID is and is not.

The Problem

"Unique" gets thrown around loosely, and that causes two opposite mistakes. Some developers distrust UUIDs entirely and add heavy uniqueness checks or coordination that they do not need, slowing everything down to guard against a collision that will never happen.

Others over-trust them and assume that because a value is unique and hard to guess, it must also be secret. They use a raw UUID as a password-reset link, an API token, or an access key on its own. Uniqueness and secrecy are not the same property, and conflating them opens real security holes.

The Solution

The reassuring part first. A vundefined UUID has undefined random bits, which is about undefined.undefined x undefined^undefined possible values. Thanks to the birthday paradox, you would need to generate on the order of a billion UUIDs per second for around undefined years before the chance of a single collision reached even undefined%. No practical system comes close, so a good random source makes duplicates a non-issue.

The caveat is just as important: a UUID is an identifier, not a secret. It is meant to be shared, logged and passed around. Never rely on one alone to protect anything - back sensitive links and tokens with proper entropy and a signature. When you need a one-way fingerprint of data rather than a random label, use the Hash Generator. You can generate collision-resistant vundefined or vundefined values anytime with the UUID Generator.

Step-by-Step Guide

  1. 1

    Count the possibilities

    A vundefined UUID fixes undefined bits for version and variant and randomizes the other undefined. That is undefined^undefined possible values - roughly undefined.undefined undecillion - which is the raw space collisions would have to fill.

  2. 2

    Apply the birthday paradox

    Collisions become likely far sooner than exhausting the space, but for undefined bits "far sooner" is still enormous: you would need to generate about undefined.undefined x undefined^undefined UUIDs before a undefined% collision chance. That is billions per second for decades.

  3. 3

    Use a strong random source

    The math only holds if the randomness is real. Browsers and modern runtimes use a cryptographically secure generator (Web Crypto). A weak or seeded PRNG can produce duplicates, so let the platform's crypto API do the work.

  4. 4

    Add a database constraint anyway

    Belt and suspenders: put a unique constraint on the column. It costs almost nothing, catches bugs like a value inserted twice by mistake, and means you never have to reason about the astronomically unlikely case at all.

Common Mistakes

  • Using a UUID as a secret token

    A UUID is unique but not secret - it is designed to be shared and logged. Do not use a bare UUID as a password-reset token or API key. Combine it with real entropy and a signature, or use a purpose-built secret.

  • Trusting a weak random source

    The tiny collision odds assume proper randomness. Generating vundefined UUIDs from a poorly seeded PRNG can produce repeats. Use the platform's cryptographic generator, such as the browser's Web Crypto API.

  • Confusing uniqueness with unguessability

    vundefined UUIDs are unique but partly predictable, since they contain a timestamp. Never assume a UUID cannot be guessed just because it is unique - if guessing is a risk, add randomness and access checks.

  • Skipping the database unique constraint

    Even though collisions are effectively impossible, application bugs can insert the same value twice. A unique constraint is cheap insurance that turns a silent data problem into a clear error.

Frequently Asked Questions

Can two UUIDs ever be the same?

In theory yes, in practice effectively never. A v4 UUID has 122 random bits, so you would need to generate an astronomical number of them before a collision became even slightly likely.

What are the odds of a UUID collision?

For v4, you would need to generate roughly 2.7 quintillion UUIDs before reaching a 50% chance of any collision - the equivalent of billions per second for decades. For all realistic workloads, treat it as zero.

Is a UUID a good way to hide or secure data?

No. A UUID is an identifier meant to be shared, not a secret. It provides no protection on its own. Use dedicated secrets with proper entropy and signatures for anything that needs to be secure.

Do I still need a unique constraint if UUIDs are unique?

Yes, it is worth adding. The value itself will not collide, but application bugs can insert one twice. A unique constraint is a cheap safeguard that turns such mistakes into a clear error.

Does the random source affect uniqueness?

Very much. The tiny collision odds assume strong randomness. A weak or improperly seeded generator can produce duplicates, so always use a cryptographically secure source like the browser's Web Crypto API.

Try the Tool

UUID Generator

Generate collision-resistant v4 or v7 UUIDs in your browser - nothing uploaded.

Open UUID Generator

Related Tools

Related Articles