Every resource on the web has a URL. How that URL is constructed affects caching, routing, SEO, and the ease of migrating data between systems. UUIDs (Universally Unique Identifiers) are one way to generate the unique portion of a URL or database record identifier, but they are not the right choice in every situation. Understanding when to use them and when to use alternatives is a practical skill for anyone building web applications.
This piece covers the UUID specification, when UUIDs belong in URLs, when they do not, and what the alternatives look like.
What a UUID Is
A UUID is a 128-bit identifier, typically rendered as a 36-character string in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. The most common version in web development is UUID v4, which is generated from random or pseudo-random data.
The standard is defined in RFC 4122. The collision probability for UUID v4 is astronomically low. Generating a duplicate requires creating approximately 2.71 quintillion UUIDs. For practical purposes, UUIDs can be treated as globally unique without coordination between systems.
This global uniqueness is the reason UUIDs are useful in distributed systems where two services independently generate records that will later be merged. A sequential integer ID from a relational database is unique within that database but not globally. Two databases both using integer IDs will produce collisions when merged.
UUID v4 in Web Applications
UUID v4 generation is natively available in modern browsers through the Web Crypto API. No library required:
const id = crypto.randomUUID();
// "550e8400-e29b-41d4-a716-446655440000"
In Node.js, the same API is available through the built-in crypto module:
const { randomUUID } = require('crypto');
const id = randomUUID();
The Node.js crypto module documentation covers the full API. For projects that need to support older environments, the uuid npm package provides consistent behavior across environments.
When UUIDs Work Well in URLs
UUIDs in URLs have one major advantage: they obscure enumeration. A resource at /orders/550e8400-e29b-41d4-a716-446655440000 does not tell an attacker anything about how many orders exist or what the adjacent IDs are. Compare that to /orders/4327, which suggests that /orders/4326 and /orders/4328 also exist.
For private resources that require authentication, UUIDs in the URL are a reasonable choice. Session tokens, file download links, invitation URLs, and similar resources benefit from non-guessable identifiers.
When UUIDs Do Not Belong in URLs
For public, indexable content, UUIDs are usually the wrong choice. A URL like /blog/7c2e8b1a-1234-4f5e-8d3a-9b6c5e7f8a2b communicates nothing to a human reader and nothing to a search engine about the content it points to. Slug-based URLs like /blog/xml-sitemap-generator-how-to-build-one are more readable, more memorable, and carry semantic signals that help search engines understand the page's topic.
This matters for crawl efficiency. When a sitemap contains UUID-based URLs, search engines must crawl each one to determine what it contains. With slug-based URLs, the crawler gets a rough signal about content from the URL itself before loading the page. That is a minor advantage per URL but adds up across a large site.
The rule of thumb: use UUIDs for resource identifiers in APIs and private resources where the ID will not appear in human-visible interfaces. Use descriptive slugs for public pages that should be indexed and shared.
UUID Validation
If your application accepts UUID input (from API clients, for example), validating the format before processing it prevents a category of injection and error-handling bugs. A valid UUID v4 matches this pattern:
^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$
The 4 in the third group identifies it as version 4. The [89ab] constraint in the fourth group enforces the variant bits.
The UUID Generator includes a validation mode that checks UUID format and identifies the version. For bulk operations, it supports generating up to 100 UUIDs at once in multiple format options (with or without hyphens, uppercase, lowercase).
Photo by Jonathan Borba on Pexels
URL Architecture and Sitemaps
Whether you use UUIDs, slugs, or sequential integers in your URLs, the underlying requirement is consistency. Every canonical URL for an indexable page should have exactly one form, and that form should be what appears in your sitemap.
Mixed URL formats create canonical confusion. A product catalog that uses slugs for new products but legacy integer IDs for older ones requires careful canonicalization and sitemap management to avoid submitting duplicate entries.
For a deeper look at how sitemaps handle large URL sets, the guide on building and submitting XML sitemaps that search engines actually use covers URL validation, sitemap index splitting, and submission workflow. The same canonical URL discipline that applies to UUID versus slug choices applies to what ends up in your sitemap.
Photo by Brett Sayles on Pexels
UUID Versions Beyond v4
The UUID standard defines five versions, and understanding the differences helps you choose the right one for each use case.
v1 generates UUIDs based on the current timestamp and the machine's MAC address. The timestamp component makes v1 UUIDs sortable by creation time, which is useful for databases that benefit from monotonically increasing insert order. The MAC address component means v1 UUIDs can theoretically be traced back to a specific machine, which is a privacy consideration for consumer-facing systems.
v3 and v5 generate deterministic UUIDs from a namespace and a name. Given the same namespace and name, they always produce the same UUID. v3 uses MD5 hashing; v5 uses SHA-1. These are useful when you need a stable, repeatable identifier for a known resource. A URL, for example, could be consistently mapped to a UUID by hashing it with a fixed namespace.
v4 is fully random, which makes it the default for most use cases where you just need a unique identifier without any structural meaning.
The UUID Generator supports v1 and v5 generation for subscribers in addition to the free v4 generation and validation.
Bulk UUID Generation
Some workflows require generating large numbers of UUIDs at once: pre-generating IDs for a batch import, seeding a test database, or creating invitation codes. The UUID Generator supports bulk generation of up to 100 UUIDs per pass, with output in multiple formats (with hyphens, without hyphens, uppercase, lowercase).
For server-side bulk generation, the Node.js crypto module handles this efficiently in a loop without any external dependency.
Choosing an Approach for Your Project
For new projects, the current best practice is:
- Use UUID v4 for internal record identifiers and any resource that should not be publicly enumerable
- Use descriptive slugs for public-facing URLs that will be indexed and linked
- Use v5 if you need deterministic identifiers derived from a known input
- If you need globally unique slugs, generate a UUID and convert it to a shorter hash or use a slug-plus-short-ID hybrid like
/blog/xml-sitemaps-7c2e8b
Whichever identifier scheme you use, consistency matters. Mixed URL formats create canonical confusion that affects sitemaps and indexing. The guide on building clean XML sitemaps covers how URL canonicalization affects sitemap quality.
EvvyTools provides the UUID Generator as a free tool for both single generation and bulk workflows. The dev tools section also includes tools for the adjacent workflow: URL encoding, HTML formatting, and XML sitemap generation. Each tool is designed to work for the kind of one-off task where reaching for a library or writing a script would be overkill.
Top comments (0)