GUID & UUID Wiki

GUID vs UUID - Are they the same?

In most real-world software, GUID and UUID refer to the same kind of identifier: a 128-bit value typically written as 32 hexadecimal digits in the familiar 8-4-4-4-12 format. The difference is mainly terminology and ecosystem — not the underlying concept.

Quick comparison

Why people think they're different

• Different naming: “GUID” is a Microsoft term while “UUID” is the standard term used by specifications and most cross-platform docs.
• Different binary representations in some APIs: some platforms store or serialize GUID bytes in a different internal byte order than the canonical UUID string format.
• Different default generators: libraries may default to different versions (e.g., v4 vs v7) even though the identifier type is still the same.

Canonical format and where “version” lives

Whether you call it a GUID or a UUID, the most common representation is a 36-character string (32 hex digits + 4 hyphens). The version is encoded as the first hex digit of the third group.

                    
                        Canonical format:  8-4-4-4-12
                        Example:           f47ac10b-58cc-4372-a567-0e02b2c3d479
                        Version nibble:    xxxxxxxx-xxxx-Vxxx-xxxx-xxxxxxxxxxxx
                                                         ^ V is the GUID / UUID version (1..8)
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N indicates the GUID / UUID variant (layout family)
                    
                

Variant meaning (practical view): the variant defines the layout family of the UUID — in other words, how the remaining bits should be interpreted. In modern software, almost all UUIDs you encounter use the RFC variant.

                    
                        Variant (high bits of the 4th group):
                        0xxx  → NCS (obsolete)
                        10xx  → RFC 4122 / RFC 9562 (standard, most common)
                        110x  → Microsoft (legacy GUID layout)
                        111x  → Reserved for future use
                    
                

Practical rule: if the first hex digit of the fourth group is 8, 9, a, or b, the GUID / UUID uses the standard RFC layout. That is what virtually all modern UUIDs use.

Warnings and pitfalls

• GUID byte-order confusion: some systems store the first fields in little-endian order in memory or certain binary formats. Your string may look the same, but raw bytes might differ between platforms.
• Not a secret: GUIDs / UUIDs are identifiers, not access tokens. Don't use them as “unguessable passwords” or authorization secrets.
• Sorting behavior depends on representation: sorting by GUID / UUID string is not the same as sorting by raw bytes in every database/driver.

Conclusion

Use the term UUID when you want standards-aligned language and GUID when matching Microsoft/.NET naming. But treat them as the same underlying 128-bit identifier. The important part is choosing the right version (v4, v6 and v7) for your use case.

GUID / UUID regex patterns (validation)

Regex validation is best used for quick input checks (shape + hex digits). For stricter validation, you should also verify the version and variant bits and ideally parse to bytes using a trusted GUID / UUID library.

1. Canonical GUID / UUID only (hyphenated)

Matches the standard 8-4-4-4-12 representation with hex digits (case-insensitive).

^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$

2. Canonical + version (1-8) + RFC variant (8/9/a/b)

Enforces that the UUID is one of the modern versions (1 through 8) and uses the standard RFC variant (8, 9, a, or b).

^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$

3. Accept common input variants (braces and URN)

Accepts any of these forms: uuid, {uuid}, or urn:uuid:uuid. This is useful for UI input fields where users paste different styles.

^(?:urn:uuid:)?(?:\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$

4. Empty GUID / Nil UUID (all zeros)

Sometimes you want to explicitly detect an Empty GUID / Nil UUID.

^00000000-0000-0000-0000-000000000000$

Practical notes

• Normalize first: trim whitespace, optionally strip urn:uuid: and braces, then validate.
• Prefer parsing in code: use your platform's UUID/GUID parser after regex checks to avoid edge cases.
• Version and variant are separate: version is the first hex digit of the third group; variant is the first hex digit of the fourth group.
• Don't over-constrain input: if your app accepts uppercase or braces, reflect that in validation and normalization, not in your database storage.

GUID / UUID v1 - Time-Based

RFC 4122 - ietf.org

GUID / UUID v1 is a time-based identifier. It combines a high-resolution timestamp with additional bits (a clock sequence and a node identifier) so that systems can generate IDs without a central database while keeping collisions extremely unlikely.

In practice, v1 GUIDs / UUIDs often look “sortable-ish” because the timestamp is embedded, but sorting behavior can depend on how GUID / UUID bytes are stored and compared. V1 is widely supported, but it comes with privacy considerations because the node field has historically been a device identifier (commonly based on a MAC address), though many implementations now randomize it.

Advantages of GUID / UUID v1

• Predictable structure: easy to validate (version nibble 1 and standard variant bits).

Warnings for GUID / UUID v1

• Severe privacy leakage: encodes creation time and historically the node field could reveal a device MAC address. Many implementations randomize the node, but you should not assume that.
• Not ideal for public IDs: timestamps can make IDs more guessable and may expose activity patterns (e.g., “when was this record created?”).
• Clock problems: if the system clock jumps backwards or has low resolution, generators must handle it correctly (often via clock sequence; behavior varies by implementation).
• Sorting pitfalls: string sorting may look time-ordered, but true ordering depends on byte layout and how your platform stores GUIDs / UUIDs (some reorder bytes internally).
• Implementation differences: node source (MAC vs random), clock handling and monotonicity strategies vary by library and OS.

Technical description

Bit layout (practical view): UUIDs are 128-bit values shown as 32 hex digits with hyphens: 8-4-4-4-12. V1 uses these main regions: a timestamp, a clock sequence and a node identifier.

Fields (what exists): the timestamp is a 60-bit count of 100-nanosecond intervals since 1582-10-15 (Gregorian epoch), stored across the first three groups (with the version bits mixed in). The clock sequence is 14 bits used to help avoid duplicates when time is not strictly increasing. The node is 48 bits, historically derived from a MAC address but often randomized today (varies by implementation).

Ordering behavior: v1 contains time information, but it is not a simple “timestamp prefix” in the string. Depending on storage/byte order, v1 may not sort exactly by creation time in your database or programming platform. Treat v1 as time-correlated, not guaranteed perfectly sortable.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v1):      6f9619ff-8b86-11d0-b42d-00c04fc964ff
                        Version nibble:    xxxxxxxx-xxxx-1xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex digit of the 3rd group is "1" for v1
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N is typically 8, 9, a or b (RFC variant)
                    
                

Conclusion

GUID / UUID v1 is usually a poor choice because it can leak creation time and possibly node-related metadata (MAC address). If you want time ordering with fewer privacy surprises, v7 is often preferred. If you want minimal embedded metadata, v4 remains a common default.

GUID / UUID v2 - DCE Security (POSIX UID/GID)

(Defined in DCE 1.1 specification, reserved in RFC 4122)

GUID / UUID v2 is a rarely used variant derived from GUID / UUID v1 and was originally intended for DCE (Distributed Computing Environment) security systems. It modifies the time-based v1 layout by replacing part of the identifier with a local domain and a local identifier. Such as a POSIX UID or GID.

In practice, GUID / UUID v2 was meant to embed operating-system level identity information into the GUID / UUID itself. Because this exposes sensitive metadata and was tightly coupled to DCE concepts. V2 never saw widespread adoption and is rarely implemented in modern GUID / UUID libraries.

Advantages of GUID / UUID v2

• DCE integration: designed to work directly with DCE Security models and OS-level identity concepts.

Warnings for GUID / UUID v2

• Severe privacy concerns: embeds OS-level identifiers (such as UID or GID). Which can leak sensitive security and user information.
• Not formally standardized: there is no dedicated RFC that fully specifies UUID v2 behavior or guarantees interoperability.
• DCE-specific design: tightly coupled to legacy DCE Security concepts that are rarely used today.
• Very limited support: most GUID / UUID libraries do not generate or parse v2 UUIDs.
• Not recommended for new systems: modern GUID / UUID versions provide better privacy, portability and standardization.

Technical description

Bit layout (practical view): UUID v2 uses the same overall 128-bit structure and canonical string format as other UUIDs (8-4-4-4-12). It is based on the v1 layout, but with modifications to support DCE Security.

Fields (what exists): v2 replaces part of the time_low field from v1 with a local identifier (such as a UID or GID). The local domain field specifies what kind of identifier is embedded (for example, user or group). The remaining fields include a timestamp, clock sequence and node identifier. Similar to v1. Exact usage varies and is not strictly specified.

Ordering behavior: because v2 is derived from v1, it contains time information, but the modification of the timestamp fields means ordering behavior is implementation-dependent and should not be relied upon for sorting.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v2):      6f9619ff-8b86-21d0-b42d-00c04fc964ff
                        Version nibble:    xxxxxxxx-xxxx-2xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex digit of the 3rd group is "2" for v2
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N tis typically 8, 9, a or b (RFC/DCE variant)
                    
                

Conclusion

GUID / UUID v2 is a historical, DCE-specific variant that is rarely encountered in modern systems. While it builds on the time-based structure of v1, its lack of formal standardization, limited support and significant privacy drawbacks make it unsuitable for new applications. For modern designs, prefer v4 for randomness or v7 for time-ordered identifiers.

GUID / UUID v3 - Name-Based Identifier (MD5 Hash)

RFC 4122 - ietf.org

GUID / UUID v3 is name-based. Instead of being random or time-based, it is generated by hashing a name together with a namespace GUID / UUID using the MD5 hashing algorithm. The result is a deterministic identifier: the same namespace and name always produce the same GUID / UUID.

This makes v3 useful when you need stable, repeatable identifiers derived from existing data (for example, URLs, usernames or external IDs). However, because it relies on MD5, v3 is considered cryptographically weak and is generally discouraged for new designs.

Advantages of GUID / UUID v3

• Deterministic output: the same namespace and name always generate the same GUID / UUID.
• No coordination required: identifiers can be generated independently without shared state or central services.
• Name-derived identity: useful for mapping existing identifiers (such as URLs or usernames) into a GUID / UUID form.
• Globally unique per namespace: uniqueness is guaranteed as long as the namespace/name combination is unique.
• Standardized behavior: generation rules are clearly defined in the UUID specification.

Warnings for GUID / UUID v3

• Uses cryptographically broken MD5: MD5 is cryptographically broken and should not be used where collision resistance or security matters.
• Predictable identifiers: anyone who knows the namespace and name can reproduce the GUID / UUID.
• Not suitable for secrets: v3 GUIDs / UUIDs must never be used as authentication tokens or unguessable IDs.
• No time ordering: v3 UUIDs have no temporal component and do not sort by creation time.
• Legacy choice: for new systems, v5 (SHA-1) or other approaches are usually preferred over v3.

Technical description

Bit layout (practical view): UUID v3 follows the standard 128-bit UUID layout and canonical string format (8-4-4-4-12). The UUID is derived by computing an MD5 hash over:
namespace UUID (binary) + name (bytes).

Fields (what exists): the 128-bit MD5 hash output is used as the base value. Certain bits are then overwritten to indicate the version (3) and the variant (RFC-defined layout). No timestamp, counter or node identifier exists in v3.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v3):      3d813cbb-47fb-32ba-91df-831e1593ac29
                        Version nibble:    xxxxxxxx-xxxx-3xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex digit of the 3rd group is "3" for v3
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N is typically 8, 9, a or b (RFC variant)
                    
                

Namespaces: the specification defines well-known namespace GUIDs / UUIDs (such as DNS, URL, OID, and X.500), but custom namespaces may also be used. Uniqueness is guaranteed only within the context of the chosen namespace.

Conclusion

GUID / UUID v3 provides deterministic, name-based identifiers that are useful for stable mappings and legacy interoperability. However, because it relies on MD5 and produces predictable values, it is generally avoided in new systems. When name-based GUIDs / UUIDs are required today, v5 (SHA-1) is usually the preferred alternative.

GUID / UUID v5 - Name-Based Identifier (SHA-1)

RFC 4122 - ietf.org

GUID / UUID v5 is name-based that produces identifiers by hashing a namespace GUID / UUID together with a name using the SHA-1 hashing algorithm. The result is deterministic: the same namespace and name always generate the same GUID / UUID.

This makes v5 useful when you need stable, repeatable identifiers derived from existing data (such as URLs, DNS names, usernames or external IDs) while avoiding randomness and coordination. Compared to v3, v5 replaces MD5 with SHA-1 and is generally preferred for modern systems.

Advantages of GUID / UUID v5

• Deterministic generation: the same inputs always produce the same GUID / UUID, which is ideal for idempotent operations and stable mappings.
• No coordination required: GUIDs / UUIDs can be generated independently without shared state or a central authority.
• Namespace isolation: identical names in different namespaces produce different GUIDs / UUIDs.
• More robust than v3: uses SHA-1 instead of MD5, avoiding known weaknesses of MD5.
• Standardized behavior: generation rules are clearly defined and consistent across platforms.
• Useful for data modeling: convenient for deriving GUIDs / UUIDs from existing identifiers or content.

Warnings for GUID / UUID v5

• Uses SHA-1: while stronger than MD5, SHA-1 is considered weak for cryptographic security and should not be relied on for collision resistance in adversarial scenarios.
• Predictable values: anyone who knows the namespace and name can reproduce the GUID / UUID.
• Not a security token: v5 GUIDs / UUIDs must not be used as secrets, access tokens or unguessable GUIDs / UUIDs.
• No time ordering: v5 GUIDs / UUIDs contain no timestamp and do not sort by creation time.
• Input stability required: changes in name encoding or normalization will produce different GUIDs / UUIDs.

Technical description

Bit layout (practical view): UUID v5 follows the standard 128-bit UUID layout and canonical string format (8-4-4-4-12). The UUID is computed by hashing: namespace UUID (binary) + name (bytes) using SHA-1.

Fields (what exists): the first 128 bits of the SHA-1 hash output are used as the base value. Certain bits are then overwritten to encode the version (5) and the variant (RFC-defined layout). There is no timestamp, counter, or node identifier in v5.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v5):      987fbc97-4bed-5078-8f07-9141ba07c9f3
                        Version nibble:    xxxxxxxx-xxxx-5xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex digit of the 3rd group is "5" for v5
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N is typically 8, 9, a or b (RFC variant)
                    
                

Namespaces: the specification defines well-known namespaces (DNS, URL, OID, X.500), but custom namespaces can also be created. Uniqueness is guaranteed only within the chosen namespace and name combination.

Conclusion

GUID / UUID v5 is the preferred choice when you need deterministic, name-based identifiers without relying on randomness or coordination. While it should not be used for security-sensitive purposes, it is well-suited for stable mappings, idempotent operations and derived identifiers in modern systems.

GUID / UUID v6 - Reordered Time-Based Identifier

RFC 9562 - ietf.org

GUID / UUID v6 is a time-based UUID designed to be sortable by creation time using simple string/byte comparisons. It is essentially GUID / UUID v1 with the timestamp bytes reordered so that the most significant time bits come first.

Practically, this makes v6 attractive for databases and storage engines that suffer when keys are inserted in random order. If you already use v1 (or must remain compatible with v1-style fields), v6 provides the same information while behaving better in indexes.

Like v1, v6 can include a node identifier (often a MAC address) and a clock sequence. Many implementations replace the node identifier with a random 48-bit value for privacy, but behavior can vary by implementation.

Advantages

• Lexicographically sortable by time: values generated later generally sort after earlier ones without parsing fields.
• Better database locality: reduced index fragmentation compared to fully random GUIDs / UUIDs in many common B-tree style indexes.
• Field-compatible with v1: keeps the familiar concepts of timestamp, clock sequence, and node identifier while improving ordering.
• No central coordination required: can be generated independently across machines and services.
• Good for distributed IDs with ordering: helps when you want IDs that roughly reflect creation order (logs, events, records).
• Easy validation: version nibble and variant bits provide quick sanity checks during parsing.
• Works in the standard GUID / UUID string format: stays compatible with the canonical 8-4-4-4-12 representation and common tooling.

Warnings

• Privacy risk if MAC-based node IDs are used: v6 can embed a hardware identifier (like v1). Prefer a random node ID if you don't want host tracking.
• Not “secret” or unguessable: time-ordered IDs can leak creation timing patterns and may be more predictable than purely random IDs.
• Ordering is “generally” time-based, not absolute: clock skew, clock adjustments or multi-node generation can still produce out-of-order values.
• Implementation differences: how the clock sequence and node fields are initialized (random vs legacy behavior) can vary by implementation.
• Collision handling depends on generator quality: a bad clock strategy, repeated state, VM cloning or a reused node/sequence combination can increase collision risk in flawed implementations.
• Prefer v7 for new systems: RFC 9562 recommends GUID / UUID v7 for systems that don't need legacy v1 semantics, since v7 uses a Unix-time-based design and is commonly favored for modern DB keys.

Technical description

What fields exist: GUID / UUID v6 reuses the same building blocks as GUID / UUID v1: a 60-bit timestamp (Gregorian epoch, 100-nanosecond units), a clock sequence (used to help uniqueness when time doesn't strictly increase) and a 48-bit node identifier (traditionally a MAC address, but often randomized for privacy).

Ordering behavior: v6 is designed so the timestamp bytes appear from most significant to least significant early in the GUID / UUID. That means a straightforward lexical sort of the canonical string usually groups values in creation-time order (unlike v1, where time bits are split in a way that breaks simple sorting).

Version and variant in practice: the GUID / UUID version is encoded in the first hex digit of the third group (it will be 6 for v6). The most common layout variant used on the web and in RFC 9562 is the “DCE” variant, where the variant bits are 10xx in the relevant byte.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v6):      1ec9414c-232a-6b00-b3c8-9c9b5f0a2b1d
                        Version nibble:    xxxxxxxx-xxxx-6xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex of the 3rd group is "6" for v6
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N is typically 8, 9, a or b (RFC variant)
                    
                

Practical bit layout (high level): GUID / UUID v6 starts with the higher timestamp bits first (time_high then time_mid), inserts the version nibble, then stores the remaining lower timestamp bits (time_low). The clock sequence and node fields follow in the same relative positions as v1.

Conclusions

Use UUID v6 when you want a UUID that is time-based like v1 but also sorts naturally in databases and logs. If you're designing a new system without v1 compatibility needs, consider UUID v7 instead. And if you do use v6, prefer implementations that avoid exposing MAC addresses unless you explicitly need them.

GUID / UUID v7 - Unix Time-Ordered Identifier

RFC 9562 - ietf.org

GUID / UUID v7 is a timestamp-prefixed UUID format designed to be both globally unique and roughly sortable by creation time. It is often used as a database key or event identifier where random GUIDs / UUIDs (like v4) can cause index fragmentation.

A v7 GUID / UUID starts with a Unix Epoch timestamp in milliseconds (48 bits), followed by random bits to ensure uniqueness. Because the time component is stored in big-endian form at the front, v7 GUIDs / UUIDs tend to cluster by time when sorted, which is usually friendlier for B-tree indexes and log/event ordering.

Advantages of GUID / UUID v7

• Time-ordered (practical sorting): the leading millisecond timestamp makes v7 GUIDs / UUIDs generally sortable by creation time when stored/compared in standard GUID / UUID byte order.
• Great for databases: tends to reduce random insert patterns compared to v4. Improving index locality in many B-tree setups.
• Distributed-friendly: can be generated independently on many nodes without coordination or a centralized service.
• Low collision risk: combines a timestamp prefix with substantial randomness (remaining bits), making duplicates extremely unlikely with a proper generator.
• Simple to validate: the version nibble is always 7 and the variant bits indicate the RFC-defined layout (most commonly 10xx in the canonical string as 8-b).
• Works well for event streams: useful for IDs that are frequently listed “newest first” or partitioned by time windows.
• Modern standard: standardized in RFC 9562 (which updates and supersedes RFC 4122).

Warnings for GUID / UUID v7

• Timestamp disclosure: v7 encodes an approximate creation time (millisecond epoch). Which can leak timing metadata in public IDs or URLs.
• Ordering is “best effort”: within the same millisecond, ordering depends on random/counter behavior (varies by implementation), so strict monotonicity is not guaranteed everywhere.
• Clock issues matter: skewed clocks, time going backwards or low-resolution timers can reduce ordering quality and may require special handling in high-throughput generators.
• GUID byte-order pitfalls: some platforms (notably certain “GUID” binary layouts) reorder bytes when storing/serializing. That can break expected “sort by time” behavior unless you store/compare in standard GUID / UUID byte order.
• Not a security token: v7 is an identifier, not an access secret. Don't treat it as unguessable authorization (even though it has randomness).
• Implementation differences: some generators may use part of the random region as a counter for monotonicity; others use purely random bits. Treat internal subfields beyond version/variant as opaque.

Technical description

Bit layout (practical view): a UUID is 128 bits displayed as 32 hex digits with hyphens: 8-4-4-4-12. For v7, the most significant bits begin with a 48-bit Unix timestamp (ms), then the version field (0111 → hex 7), then the remaining bits are used for uniqueness (commonly random; some implementations may incorporate a counter).

Fields you'll see in practice: the first 12 hex digits (48 bits) correspond to the timestamp. The first hex digit of the third group encodes the version (must be 7). The first hex digit of the fourth group encodes the variant (commonly 8, 9, a, or b for the RFC variant used by most UUIDs). Everything else is used for uniqueness and is not meant to be interpreted as a MAC address or node ID.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v7):      018f3f5e-1c2d-7a9b-8f10-3c4d5e6f7a8b
                        Version nibble:    xxxxxxxx-xxxx-7xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex digit of the 3rd group is "7"
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N is typically 8, 9, a or b (RFC variant)
                    
                

Ordering behavior: because the timestamp is stored at the front (big-endian), sorting v7 UUIDs in their standard byte/string form generally groups them by time. Within the same millisecond, order is influenced by the remaining bits (random and/or counter), so ordering is typically time-correlated, not perfectly sequential.

Conclusion

GUID / UUID v7 is a strong default when you want UUID-style decentralization but also want IDs that behave better in ordered storage (like many database indexes). Use it when time-correlation is helpful and prefer v4 when you need to avoid exposing creation time in the identifier.

GUID / UUID v8 - Custom / Application-Defined Identifier

RFC 9562 - ietf.org

GUID / UUID v8 is a flexible, application-defined format. Unlike other GUID / UUID versions, v8 does not prescribe how most bits are generated. Instead, it provides a standardized container that allows applications to define their own internal structure while still producing a valid GUID / UUID string.

This version exists to support custom identifier schemes that need to fit into the GUID / UUID ecosystem (databases, APIs, tooling, ...) without pretending to be time-based, random or name-based. The specification intentionally leaves most semantics up to the application.

Advantages of GUID / UUID v8

• Maximum flexibility: applications can define their own bit layout, encoding, or semantics.
• Standards-compliant container: still conforms to the UUID string format and variant rules.
• Future-proof: enables new UUID-like designs without requiring new version numbers.
• Interoperable shape: works with existing UUID parsers, databases, and APIs.
• Explicit intent: clearly signals that the UUID does not follow predefined semantics like v1-v7.

Warnings for GUID / UUID v8

• No guaranteed uniqueness model: uniqueness depends entirely on the application's design.
• No implied ordering: v8 does not guarantee time ordering or sortability unless explicitly designed to.
• Opaque to other systems: external systems cannot infer meaning from the bits.
• Easy to misuse: poor custom designs can lead to collisions or confusing behavior.
• Not a security primitive: v8 provides no cryptographic guarantees by itself.

Technical description

Bit layout (practical view): UUID v8 follows the standard 128-bit UUID layout and canonical string format (8-4-4-4-12). Only two parts are fixed: the version field (8) and the variant field (RFC-defined). All remaining bits are application-defined.

Fields (what exists): aside from the required version and variant bits, the specification does not define any mandatory fields such as timestamps, randomness, counters or node identifiers. Applications may encode time, randomness, hashes, counters or other data as they see fit.

                    
                        Canonical format:  8-4-4-4-12
                        Example (v8):      12345678-1234-8abc-9def-0123456789ab
                        Version nibble:    xxxxxxxx-xxxx-8xxx-xxxx-xxxxxxxxxxxx
                                                         ^ first hex digit of the 3rd group is "8" for v8
                        Variant nibble:    xxxxxxxx-xxxx-xxxx-Nxxx-xxxxxxxxxxxx
                                                              ^ N is typically 8, 9, a or b (RFC variant)
                    
                

Ordering behavior: v8 GUIDs / UUIDs have no inherent ordering. Any ordering or monotonic behavior must be explicitly designed and documented by the application generating them.

Conclusion

GUID / UUID v8 is a powerful escape hatch for advanced use cases where none of the predefined GUID / UUID versions fit. It should be used deliberately and documented clearly, as its meaning and guarantees exist entirely outside the GUID / UUID standard. For most applications, v4, v6 or v7 remain better defaults.

GUID / UUID Version vs Variant - What's the difference?

Version and variant are two separate concepts in a GUID / UUID. They are often confused because both are encoded as single hexadecimal digits, but they answer different questions and live in different positions inside the GUID / UUID.

Where version and variant live

                    
                    Canonical format:  8-4-4-4-12
                    Layout:            xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx
                    M = Version
                    N = Variant
                
                

The GUID / UUID version is encoded in the first hex digit of the third group. The GUID / UUID variant is encoded in the first hex digit of the fourth group.

GUID / UUID Version

The version defines the generation strategy used to create the GUID / UUID. It answers the question: “Where did this identifier come from?”

GUID / UUID Variant

The variant defines the layout family of the GUID / UUID. It answers the question: “How should the bits of this GUID / UUID be interpreted?”

The variant is independent of the version. Every GUID / UUID version uses a variant, including modern ones like v7 and v8.

                    
                    Variant nibble (first hex of 4th group):
                    0xxx  → NCS (obsolete)
                    10xx  → RFC 4122 / RFC 9562 (standard)
                    110x  → Microsoft legacy GUID
                    111x  → Reserved for future use
                    
                

Practical rule: if the first hex digit of the fourth group is 8, 9, a or b. The GUID / UUID uses the standard RFC layout. This is what almost all modern GUIDs / UUIDs use.

Version vs Variant (side by side)

Common misconceptions

• “Only some versions have a variant”: false - all UUID versions include a variant.
• “Variant means version family”: false - variant defines layout, not generation method.
• “Variant affects uniqueness”: false - uniqueness comes from the generation algorithm.

Conclusion

Version and variant solve different problems and should always be treated separately. When documenting or validating GUIDs / UUIDs, show both the version to explain behavior and the variant to confirm the standard layout.

RFC 4122 vs RFC 9562

GUIDs / UUIDs are defined by IETF standards (RFCs). For many years, developers referenced RFC 4122, but this document has been formally obsoleted by RFC 9562. This comparison explains what changed, what stayed the same, and which RFC you should reference today.

Key takeaways

• RFC 9562 supersedes RFC 4122: it is the official, current GUID / UUID standard.
• Nothing “breaks”: existing GUIDs / UUIDs generated under RFC 4122 remain valid.
• New versions matter: v6 and v7 directly address long-standing database and ordering problems.
• Documentation should cite RFC 9562: with optional mention of RFC 4122 for legacy context.

Practical advice for developers

• If you generate new GUIDs / UUIDs, reference RFC 9562 in documentation.
• If a library mentions “RFC 4122 GUIDs / UUIDs”, it usually still produces valid GUIDs / UUIDs — the wording is just outdated.
• Prefer v4 for simplicity and v6 or v7 for time-ordered IDs.

Conclusion

RFC 4122 laid the foundation for GUIDs / UUIDs and powered the web for nearly two decades. RFC 9562 modernizes that foundation without breaking compatibility, making it the correct reference point for all new GUID / UUID documentation and system design today.

GUID/UUID vs ULID vs KSUID - Which Identifier Should You Use?

Compare GUID / UUID, ULID and KSUID for databases and distributed systems. Learn the key differences, use cases, trade-offs and when to choose each.

GUIDs / UUIDs are the most widely supported identifiers across databases, APIs and programming languages. However, many systems also use GUID/UUID-like alternatives such as ULID and KSUID to get better time ordering and improved database index locality.

Cloud platforms like AWS typically do not introduce their own GUID / UUID versions. Instead, they use standard IDs like ARNs and service-specific IDs and sometimes standard GUIDs / UUIDs (often v4) for request/event IDs. So when you're choosing an identifier for your own app or database schema, you're usually deciding between standard GUIDs / UUIDs and non-standard GUID/UUID-like formats such as ULID / KSUID.

Comparison table

Which one should you use?

• Choose GUID / UUID v4 if you want the safest default: widely supported, easy to store, no time metadata and simple generation.
• Choose GUID / UUID v7 if you want a standards-based ID that is time-ordered and typically behaves better as a database primary key than random GUIDs / UUIDs.
• Choose ULID if you want time-sortable IDs and prefer a compact, human-friendly Base32 string representation (and your stack already supports it).
• Choose KSUID if you want time-sortable IDs with a larger space and you're in an ecosystem that already uses KSUIDs for logs/events—and you accept that it's not a GUID / UUID.

Practical guidance for databases

If your main concern is database performance and index locality, you usually want identifiers that don't insert randomly across the index. That's the most common reason developers compare GUID / UUID v7, ULID and KSUID.

• Most compatible: GUID / UUID v4 (works everywhere, but can be random for indexes)
• Best “standard + sortable” combo: GUID / UUID v7 (time-ordered while staying a real GUID / UUID)
• Non-standard but popular: ULID / KSUID (sortable, but may require extra tooling and conventions)

Warnings & trade-offs

• GUIDs / UUIDs are not secrets: GUID / UUID v4/v7, ULID, and KSUID are identifiers. Do not use them as access tokens or authentication secrets.
• Sorting depends on representation: “time-sortable” usually means the string form sorts by time, but database storage/byte-order can change behavior (varies by database/driver).
• Non-standard formats: ULID and KSUID are not RFC UUIDs. Some APIs, ORMs, and databases assume GUID / UUID formatting and won't accept them without custom handling.
• Time leakage: time-ordered IDs can reveal approximate creation time. If that matters, prefer GUID / UUID v4 or treat IDs as private/internal.
• Interoperability matters: if you work across many systems or languages, GUIDs / UUIDs typically win due to universal support.

Mini FAQ

Conclusion

If you want broad interoperability, choose a standard UUID: GUID / UUID v4 for general-purpose IDs or GUID / UUID v7 for time-ordered database-friendly identifiers. Choose ULID or KSUID when your ecosystem already uses them or when their encoding and operational trade-offs are a deliberate fit for your system.