Why You Should Use UUIDs in Your APIs

What is a UUID?

A UUID is a 128-bit identifier represented as 32 hexadecimal digits in the format 8-4-4-4-12, totaling 36 characters. An example is 123e4567-e89b-12d3-a456-426655440000. The total number of possible UUIDs is approximately 3.4 x 10^38, providing virtually unlimited unique identifiers.

Why Use UUIDs?

The primary advantage centers on security. By using difficult-to-guess identifiers instead of sequential numbers (1, 2, 3, etc.), developers establish a fundamental security layer for their APIs.

Consider the contrast:

• Sequential: http://my.api/resource/12345
• UUID-based: http://my.api/resource/123e4567-e89b-12d3-a456-426655440000

The UUID approach makes enumeration attacks substantially harder. Developers can maintain sequential IDs internally for database indexing without exposing them publicly.

Addressing Downsides

Readability: While humans find UUIDs less readable, this is not a valid reason to abandon them given security benefits.

Database Performance: Caching strategies and correlating UUIDs with internal sequential IDs mitigate performance concerns while maintaining security advantages.

Conclusion

Implementing UUIDs as resource identifiers significantly strengthens API security through obfuscation while remaining practically viable through caching and intelligent database design.