From treating an identifier as a secret to truncating bits away, here are the five UUID mistakes that most often turn into real incidents, and how to avoid each one.
1. Treating a UUID as a secret
This is the most damaging mistake. A UUID is an identifier, not a credential. It can be hard to guess, but it is often logged, shared in URLs, cached and copied. If a request like /invoice/{uuid} returns private data without an authorization check, you have an access-control bug, not a naming convention. Always verify that the current user may access the resource, and use dedicated high-entropy tokens for reset links and API keys.
2. Generating UUIDs with weak randomness
A UUID v4 is only as unique as its random source. Building one from Math.random or a home-grown generator quietly raises collision risk and, in security-adjacent contexts, predictability. Use the platform cryptographic source: crypto.randomUUID or crypto.getRandomValues in the browser and Node, and the standard UUID facilities in your language.
// Good
const id = crypto.randomUUID();
// Avoid
const bad = "xxxxxxxx".replace(/x/g, () =>
Math.floor(Math.random() * 16).toString(16));3. Skipping the database unique constraint
Collision probability for correctly generated UUIDs is astronomically small, so teams sometimes drop the unique index "because UUIDs are unique." The real duplicate incidents almost never come from math; they come from a fixture copied into production, a migration run twice, or a mocked generator returning the same value. A unique constraint turns those silent data-corruption bugs into a loud, catchable error.
4. Storing UUIDs in inconsistent formats
When one part of a system stores lowercase hyphenated UUIDs, another stores uppercase, and a third strips hyphens, equality checks and joins start failing in confusing ways. Normalize at the boundary: accept whatever users paste, then store one canonical form, ideally in a native UUID column so the database enforces it for you.
5. Shortening a UUID by truncating it
Wanting a shorter identifier is reasonable; achieving it by dropping characters is not. Truncation throws away entropy and multiplies collision risk. If you need a compact form, re-encode the full 128 bits with Base64url or Base58, which is reversible and lossless, or choose a natively short scheme like Nano ID from the start.