UUID vs CUID2 — Which Should You Use?
CUID2 prioritizes collision resistance under adversarial conditions. UUID is the universal RFC standard. Here's how to choose.
What is CUID2?
CUID2 (Collision-resistant Unique IDentifier v2) is an ID scheme designed by Eric Elliott. It generates IDs like this:
clh3bq5yj0002pe1y5m5k4v0e
CUID2 IDs always start with a letter (making them safe as HTML element IDs and CSS selectors), are 24 characters long, use a lowercase alphanumeric alphabet, and are generated using SHA-3 hashing over a mix of random bytes, a timestamp, a counter, and an environmental fingerprint.
CUID2 is the successor to the original CUID, which had weaknesses discovered through analysis. CUID2 fixes those issues.
Side-by-Side Comparison
| Property | UUID v4 | UUID v7 | CUID2 |
|---|---|---|---|
| Default string length | 36 chars | 36 chars | 24 chars |
| Always starts with a letter | No | No | Yes |
| Sortable by time | No | Yes | No |
| Collision resistance (adversarial) | Standard | Standard | Higher (SHA-3 + counter + fingerprint) |
| URL-safe | Yes | Yes | Yes |
| Safe as HTML ID / CSS selector | No (starts with digit) | No | Yes |
| RFC standard | RFC 4122 / RFC 9562 | RFC 9562 | No (community spec) |
| Native database support | UUID columns | UUID columns | Needs VARCHAR(24) |
| Ecosystem support | All languages | Widely supported | JS/TS, some ports |
Decision Guide
Use CUID2 when:
- You need IDs that are safe as HTML element IDs or CSS selectors (must start with a letter)
- You're in the JavaScript/TypeScript ecosystem and the npm package is acceptable
- You specifically need the higher adversarial collision resistance CUID2 provides
- Prisma ORM is your database layer (CUID2 is Prisma's default ID scheme)
Use UUID instead when:
- You need RFC compliance and cross-language interoperability
- Your database has a native UUID column type
- You need sortable IDs → use UUID v7
- You're working outside the JavaScript ecosystem
Frequently Asked Questions
What is CUID2?
CUID2 is the second version of CUID (Collision-resistant Unique IDentifier), designed by Eric Elliott. It generates 24-character IDs starting with a letter (e.g. clh3bq5yj0002pe1y5m5k4v0e) using SHA-3 hashing over a combination of random bytes, timestamp, counter, and a fingerprint. CUID2 improves on the original CUID by being more secure and harder to predict.
Is CUID2 better than UUID?
CUID2 and UUID solve slightly different problems. CUID2 is designed for high-throughput distributed systems where collision resistance even under adversarial conditions is paramount, and where human-readable IDs that start with a letter are preferred. UUID is a formal RFC standard with universal library support. For most use cases, UUID v4 or v7 is simpler and sufficiently collision-resistant.
Why does Prisma use CUID2 by default?
Prisma historically defaulted to CUID (v1) for its @id @default(cuid()) annotation because it always starts with a letter — making it safe as a CSS selector and HTML element ID without quoting. Prisma 5+ supports CUID2 via @default(cuid(2)). You can also use @default(uuid(4)) or @default(uuid(7)) for UUID-based primary keys.