Are UUIDs Really Unique?
Dev Nexus4 min read
In practice UUIDs never collide - here is the math behind why, and the one thing people get wrong: a UUID is an identifier, not a secret.
The word "universally unique" invites a fair question: is a UUID actually guaranteed to be one of a kind? The honest answer is that nothing is mathematically guaranteed - but the odds of a collision are so small that, for any real system, you can treat UUIDs as unique.
This post explains where that confidence comes from, runs the numbers on vundefined collisions, and clears up a common misconception about what a UUID is and is not.
The Problem
"Unique" gets thrown around loosely, and that causes two opposite mistakes. Some developers distrust UUIDs entirely and add heavy uniqueness checks or coordination that they do not need, slowing everything down to guard against a collision that will never happen.
Others over-trust them and assume that because a value is unique and hard to guess, it must also be secret. They use a raw UUID as a password-reset link, an API token, or an access key on its own. Uniqueness and secrecy are not the same property, and conflating them opens real security holes.
The Solution
The reassuring part first. A vundefined UUID has undefined random bits, which is about undefined.undefined x undefined^undefined possible values. Thanks to the birthday paradox, you would need to generate on the order of a billion UUIDs per second for around undefined years before the chance of a single collision reached even undefined%. No practical system comes close, so a good random source makes duplicates a non-issue.
The caveat is just as important: a UUID is an identifier, not a secret. It is meant to be shared, logged and passed around. Never rely on one alone to protect anything - back sensitive links and tokens with proper entropy and a signature. When you need a one-way fingerprint of data rather than a random label, use the Hash Generator. You can generate collision-resistant vundefined or vundefined values anytime with the UUID Generator.
Step-by-Step Guide
- 1
Count the possibilities
A vundefined UUID fixes undefined bits for version and variant and randomizes the other undefined. That is undefined^undefined possible values - roughly undefined.undefined undecillion - which is the raw space collisions would have to fill.
- 2
Apply the birthday paradox
Collisions become likely far sooner than exhausting the space, but for undefined bits "far sooner" is still enormous: you would need to generate about undefined.undefined x undefined^undefined UUIDs before a undefined% collision chance. That is billions per second for decades.
- 3
Use a strong random source
The math only holds if the randomness is real. Browsers and modern runtimes use a cryptographically secure generator (Web Crypto). A weak or seeded PRNG can produce duplicates, so let the platform's crypto API do the work.
- 4
Add a database constraint anyway
Belt and suspenders: put a unique constraint on the column. It costs almost nothing, catches bugs like a value inserted twice by mistake, and means you never have to reason about the astronomically unlikely case at all.
Common Mistakes
Using a UUID as a secret token
A UUID is unique but not secret - it is designed to be shared and logged. Do not use a bare UUID as a password-reset token or API key. Combine it with real entropy and a signature, or use a purpose-built secret.
Trusting a weak random source
The tiny collision odds assume proper randomness. Generating vundefined UUIDs from a poorly seeded PRNG can produce repeats. Use the platform's cryptographic generator, such as the browser's Web Crypto API.
Confusing uniqueness with unguessability
vundefined UUIDs are unique but partly predictable, since they contain a timestamp. Never assume a UUID cannot be guessed just because it is unique - if guessing is a risk, add randomness and access checks.
Skipping the database unique constraint
Even though collisions are effectively impossible, application bugs can insert the same value twice. A unique constraint is cheap insurance that turns a silent data problem into a clear error.
Frequently Asked Questions
Can two UUIDs ever be the same?
In theory yes, in practice effectively never. A v4 UUID has 122 random bits, so you would need to generate an astronomical number of them before a collision became even slightly likely.
What are the odds of a UUID collision?
For v4, you would need to generate roughly 2.7 quintillion UUIDs before reaching a 50% chance of any collision - the equivalent of billions per second for decades. For all realistic workloads, treat it as zero.
Is a UUID a good way to hide or secure data?
No. A UUID is an identifier meant to be shared, not a secret. It provides no protection on its own. Use dedicated secrets with proper entropy and signatures for anything that needs to be secure.
Do I still need a unique constraint if UUIDs are unique?
Yes, it is worth adding. The value itself will not collide, but application bugs can insert one twice. A unique constraint is a cheap safeguard that turns such mistakes into a clear error.
Does the random source affect uniqueness?
Very much. The tiny collision odds assume strong randomness. A weak or improperly seeded generator can produce duplicates, so always use a cryptographically secure source like the browser's Web Crypto API.
Try the Tool
UUID Generator
Generate collision-resistant v4 or v7 UUIDs in your browser - nothing uploaded.
Related Tools
Related Articles
How to Generate a UUID Online
Generate random v4 or time-ordered v7 UUIDs online, one at a time or in bulk, with the exact case, hyphen and brace formatting your system expects.
Read articleUUID v4 vs v7: Which Should You Use?
v4 is fully random and v7 is time-ordered - here is how they differ and why v7 is usually the better choice for a database primary key.
Read articleencodeURI vs encodeURIComponent Explained
The clear difference between encodeURI and encodeURIComponent, with examples showing which one to use for a value versus a whole URL.
Read article