UUID v5

UUID version 5 produces deterministic identifiers by hashing a namespace UUID and a name string with SHA-1, per RFC 4122. The same namespace and name always yield the same UUID. v5 is useful for stable derived IDs — for example, mapping external provider subjects to internal identifiers — but is not random and should not replace jti for replay-sensitive tokens. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.

Why It Matters

Use v5 when you need reproducible IDs across systems without a central allocator. Do not use v5 for secrets or one-time tokens because the value is derivable from known inputs. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses. Review this during every auth-related change, including framework upgrades, CDN additions, and new mobile or third-party clients.

Related Terms

Related Comparisons

Related Tools

Related Articles

Frequently Asked Questions

UUID v5 vs v4?

v5 is deterministic from namespace+name; v4 is random. Use v4 for security tokens. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.

What hash does v5 use?

SHA-1 inside the UUID construction. Not related to JWT signing algorithms. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.

Can v5 replace database sequences?

For idempotent upserts from external keys, yes. Not for session secrets. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.