Best Ways to Create GUID/UUID in JavaScript
A GUID (Globally Unique Identifier) or UUID (Universally Unique Identifier) is a 128-bit identifier used to track objects, requests, users, sessions, and more. JavaScript provides several ways to generate UUIDs, ranging from built-in cryptographically secure APIs to fallback solutions for older environments.
This article explains the most reliable and modern approaches, including secure methods for both browser and Node.js environments.
1. Using crypto.randomUUID() (Recommended)
The crypto.randomUUID() method is the simplest and most secure option. It generates a compliant UUID v4 with excellent randomness.
const uuid = crypto.randomUUID();
console.log(uuid);
// Example output: c44ff497-9424-4355-96af-ba2690db5725Why this method is preferred
- Built-in and secure
- Minimal code
- Supported in modern browsers and Node.js 14.17+
- Fully compliant with RFC 4122
If your environment supports it — use it.
2. Using crypto.getRandomValues() (Secure Alternative)
For environments that support crypto.getRandomValues() but not crypto.randomUUID(), you can generate a standards‑compliant UUID v4 manually.
Here is a secure implementation:
function createUUIDv4() {
const buffer = new Uint8Array(16);
crypto.getRandomValues(buffer);
buffer[6] = (buffer[6] & 0x0f) | 0x40; // Version 4
buffer[8] = (buffer[8] & 0x3f) | 0x80; // Variant RFC4122
const hex = [...buffer].map(b => b.toString(16).padStart(2, '0')).join('');
return (
hex.slice(0, 8) + '-' +
hex.slice(8, 12) + '-' +
hex.slice(12, 16) + '-' +
hex.slice(16, 20) + '-' +
hex.slice(20)
);
}
console.log(createUUIDv4());
// Example output: 42254574-affd-47cc-9915-0ecae592351bBenefits
- Cryptographically secure
- Works in browsers and Node.js
- Customizable for advanced use cases
3. Using Math.random() (Not Secure)
Use this method only in environments without crypto support. It generates UUID-like strings but lacks cryptographic strength.
function createUUID() {
return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, char => {
const rand = (Math.random() * 16) | 0;
const value = char === "x" ? rand : (rand & 0x3) | 0x8;
return value.toString(16);
});
}
console.log(createUUID());
// Example: def4ac61-c2a3-4426-af8e-580c7c862ff1When to use it
- Legacy browsers
- Simple client-side demos
- Non-security-critical tasks
Avoid using this method for authentication, tokens, or anything sensitive.
Comparison of Methods
| Method | Security | Environment | Notes |
|---|---|---|---|
crypto.randomUUID() | Excellent | Browser & Node.js | Best choice |
crypto.getRandomValues() | Excellent | Browser & Node.js | Good alternative |
Math.random() | Weak | Any | Fallback only |
When Should You Use a UUID?
- Generating request IDs
- Creating unique DOM element identifiers
- Session tracking
- Client-generated resource IDs
- Offline-capable applications
UUIDs help avoid conflicts and ensure uniqueness across distributed systems.
Conclusion
Use crypto.randomUUID() whenever it’s available — one line, cryptographically secure, RFC-compliant. Fall back to crypto.getRandomValues() for older runtimes. Math.random() is a last resort for throwaway demos where collisions don’t matter.